Member Avatar for Aeonix

Since I totally F'd up entire topic. Over here, where nobody has ever known what I meant, until I realized that I said a lot of things that didn't make sense at all, nor I could make up any reasonable statements from smart people out there. By suggestion of said discussion's member. Here I start clean topic, where I'll check 50 times, that what I ask, actually makes damn bit of sense.

What is the server about. Me. The First Party

Let's start with me, 1st party (don't know if that's how it works). Anyways, it's stripped down kernel. There's one application listening to port 69. It receives the HTTPS/1.1, then sends a HTTP/1.1 answers. For example, user who is logging in, he/she sends (imaginary example)
[name="OnlyAlphaNumeric123",pwd="((hashed))"]
It checks into database, on failure:
[result="failure"]
On success:
[result="success",icon="BASE64-BLOB",money="9001",team="Kappa"]

And all works perfectly. Program is designed to send queries through HTTPS, server receives, interprets, finds, provides answer. So far so good. Right?

Typical expected usage. Good user. 2nd Party

Josh decides to download the software. He installs it, has no malicious intents, wants to use program as it was designed. He logs in and starts seeking for "Recommended Allies" or something. He adds people, starts chatting, plays a game and is gone, by this time, since logging in and logging out (after he's done), he's sent these absolutely legal and meant queries to the server:

[login name="Ronald",pwd="whatarethoooose"]
[recfrnds amount="10"]
[addFriend name="Dawg"]
[sendmsg name="Dawg" msg="Hi there!"]
[addFriend name="Fiona"]
[sendmsg name="I <3 U"]
[recfrnds amount="10"]
[addFriend name="Terek"]
[enterGame invited="Terek; Fiona, Dawg"]
[enterGame ready]
[userAction logout]

Thus Josh has logged in, sought for recommendation of allies (for battle game or whatever). Added couple, went onto next page, added next, then invited his friends, and went into game. Then logged out.

Easy peesy lemon squeezy. Right?

Unwanted usage. Bad user. 2nd Party

So program reaches to people of all kind, unfortunately. It also arrives to Dick. Dick, whose parents were prophets. Decides to login into the game, switch between "Recommended Allies", added few, sent few chats. After he captured the HTTPS/1.1 requests he sent, after decryption with public and his private key (because according to this both server and user have key to the encrypted data, which is always findable one way or another, private key + public key = de/encryption key, right?), he finds out that he can send these queries for wanted results:

[login name=#USERNAME#,pwd=#PASSWORD#]
[recfrnds amount=#AMOUNT OF ALLIES#]
[addFriend name=#PERSON NAME#]
[sendmsg name=#PERSON NAME# msg=#CONTENT MSG#]
[enterGame invited=#INVITES PEOPLE#]
[enterGame ready]
[userAction logout]

Knowing that he just deciphered the request his computer could legally send to the servers. He decides to create a program, what will program do? Well.

FOREACH LOGIN => NAME etc.
    [login name=NAME,pwd=PWD]
    TODO = [recfrnds amount="100"]
    FOREACH TODO AS BEASS
        [addFriend name=BEASS]
        [sendmsg name=BEASS msg="Hi, I just came here to recommend you that virus on virus.com"]
    FOREACH END
    [userAction logout]
FOREACHEND

Now, I could detect it, by fact that query would be sent each 0.1ms, and that adding 100 in one shot is rather impossible. But the thing still remains. They could set interval, they could add 10 each time, not 100. The fight would go on.

How could I verify these queries are sent by an illegal program (which has been proven to be doable, look below^)?
I could look on timing, I could set maximum recommendations to 10. But still. I don't like the idea that people would automate queries and force my server to respond, without them actually using the program.

Does that sound anywhere near normal?

^it is doable -
Here's a cut from previous topic.

I was playing online video game, it's quite popular and out there. On some day, a programmer released his very own version of the launcher (with buttons, shop, and ways to enter a game (which still would open the original "battle arena .exe")). Owners of game didn't like it. And even though program sent exactly same query as the original launcher, still, majority of users of this "new launcher" got banned for 3rd party software (as it was forbidden in ToU).
What could be the way they detected it? I mean, of course they could've updated their client to send additional token with HTTP(S) which the newly-forged program wouldn't send, and then ban everybody who didn't send that token (honey token).
But even then, the developer of his own new launcher, could've detected differences in patch version (from 4.2 => 4.3) and then block usage of it (through piece of code in launcher which would detect new version) and find out how the latest version works, update the code a bit, and keep being stealthy.

There must be some hardcore reason why said programmer didn't go for it.

  • 2 Contributors
  • 5 Replies
  • 245 Views
  • 6 Days Discussion Span
  • Latest Post Latest Post by Aeonix
Member Avatar for jkon

Before getting to security you lost me in a part and I am asking just to get it. Forget other security techniques , forget even HTTPS , you wrote that the “bad” user might send[login name=#USERNAME#,pwd=#PASSWORD#], how would he know the password ? Are we talking about the fear of a brute force attack ? You keep the “bad” user IP , don't you ? There are numerous way to secure your app , some I am well acquainted , but I believe that there are more security experts here to give alternatives. I am just asking that because I didn't understood it from your question.

Member Avatar for Aeonix

you wrote that the "bad" user might send[login name=#USERNAME#,pwd=#PASSWORD#], how would he know the password?

Assuming. He/she created 20 accounts of which passwords he/she owns. He/she created 20 accounts, so system can be abused and spammed.

Are we talking about the fear of a brute force attack ?

Least of my worries. I could just make server block attempts for 15 seconds.

You keep the "bad" user IP , don't you ?

It's not like banning 35 malicious IPs would resolve the issue, since there's still 1000 roaming and there's a thing called proxy.

I am just asking that because I didn't understood it from your question.

Wow. My English must really be bad, you're #6 that doesn't understand what I'm asking, dayum. The worst part of it is, I don't know what is not to be understood (not blaming you or anything).

The entire question resolves to:
How can I detect automated access to my servers through unwanted program?

Edited by Aeonix
Member Avatar for Aeonix

Lately I came up with another idea on how to represent what I'm asking (it does require webdevelopment knowledge)

Let's say your website works with AJAX responses. You send JavaScript file to user's browser, which is a mini-engine, it sends request to your PHP server-side file. PHP answers with JSON. Your JavaScript file understands it and "does it". The question is, how would I prevent, someone who decides to nibble around my JavaScript file to go to http://example.com/donkey.php?getPost=x, and then make his/her own JavaScript file where they would make requests they weren't allowed to be made. For example, use my donkey.php and create identical website, because they technically can ask anything from database, that I ask as well.

Now turn this over to real life applications. How would I prevent someone sending same queries to the server, using their own program?7

Dammit, I really need to know. But I don't know how to explain it so you'd understand, I don't know what's the part, that you don't get.

Edited by Aeonix
Member Avatar for jkon

The issue is that you don't know what you are asking because you haven't tried anything. If you had you would have a minimum understanding of what programming languages are and what is programming. Your final question is “How can I determine if a request is from AJAX ?” but you haven't done even experiments to understand what to ask . So choose a question (and stick to it) , try it understand first and then we could help. One of the reasons I don't want to answer any of your questions (accept from rude joking replies) is that you are not willing to learn , if you want to learn ask a question and stick to it , even if it means that you should try the answers in coding and not in words.

Member Avatar for Aeonix

Your final question is "How can I determine if a request is from AJAX ?"

No, not really. Because I "send AJAX requests" myself too.

(accept from rude joking replies)

Quote me on that one. I don't recall offending anybody or making fun out of someone, especially where I can't specify my problem. For about 5th time, i just don't word good, u know

So choose a question (and stick to it) , try it understand first

I do understand my question, but you don't, because I don't know how to explain it the way you would understand it.

is that you are not willing to learn

If I didn't want to learn, I wouldn't care and I wouldn't sit here put 2 long posts trying my absolute best to explain myself out of my problem. If I didn't care, I wouldn't put up some virtual examples above, and certainly; if I didn't want to learn, I wouldn't be on DaniWeb. After all that's the website's about.

I'm fairly sure, I spend on this topic alone, about 10 times more time than average poster in here, and I'm still seeking answer.

even if it means that you should try the answers in coding and not in words.

Well that's the core of the issue is.

Edited by Aeonix
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.