7

I am having a real hard time to figure this out. Spent around 4 hours crawling the web no SO post to save me.

Imagine a scenario:

  1. I have already written a chrome extension, that captures some particular actions on the webpage (mainly a button click). That action triggers a function, that captures the some user info and button info (all present on the page itself) and displays it

  2. Now i want that the plugin should be able to update this into a database setup on a remote server.

Since I am fluent in PHP (and thus MySQL is good choice), I am looking for a solution to make sure that the updates are made ONLY AND ONLY from the extension itself.

For this I think the best option would be to run a GET/POST request something like http://remoteserver.tld/update-db.php?id=XXXX&action=YYYYY&foo=bar.... etc. But what happens if the user opens/passes post vars to this url outside plugin?

The data will still be updated and integrity will be lost!

The next best idea was to include keys with request, but again the extensions are written in JS, almost anyone can sniff out the keys.

Guide me to the best method to update the database on the remote server and make sure the action is authenticated.

Cheers!

Eric
  • 95,302
  • 53
  • 242
  • 374
whizzzkid
  • 1,174
  • 12
  • 30
  • 5
    anyone can sniff the keys and anyone can sniff out the extension's doing. perfect security is essentially impossible. pick out a level of risk you're willing to work with and secure things up to that point, no further – Marc B Oct 16 '12 at 18:57
  • That's true... but there would be a way that I could on the server end, check that whether the request to update the database is from the plugin, or is it from a forged page?... what options do you think I have @MarcB?... what would have been your take at this?... remember it needs to be as fast as possible... because there are going to be 100s of user working on the intranet updating a host... – whizzzkid Oct 16 '12 at 19:08
  • let's say I am working for one the tech pioneers and need a solid method to protect forgery on this data... because I believe the nerds here will try and hack this data to their best... thanks for your ideas @MarcB – whizzzkid Oct 16 '12 at 19:20
  • in that case, don't do it in a browser. that's like building a supermax prison in the middle of a shopping mall using plastic tarp and duct tape. – Marc B Oct 16 '12 at 19:21
  • how else do you think i can collect user interaction with the webpage?... if I cannot control the webpage, nor can i embed it into a frame or something to control data. – whizzzkid Oct 16 '12 at 19:27
  • what is the problem you're trying to solve here? maybe there are other ways to solve it besides a browser extension. – Jan Prieser Oct 17 '12 at 08:47

1 Answers1

1

The problem here is one of authentication basically, you want to prevent that anyone is able to update anyone elses datastore.

The most apparent fix for this is to send an additional parameter which is hard to enumerate (hashes are a good example) and which is assigned to only a single instance of your extension (so every user generates it's own authentication hash).

For this hash to be effective, it is important that it is not guessable. Do not create the hash solely based on static stuff like ip-adressess or user agent strings.

You could include these static strings to make collisions less likely tho: [pseudo] sha1(ip_address+user_agent+random_integer).

So basically for you this ends up in the following: let the extension generate a hash for the current instance if it runs for the first time, make an initial request to your server to 'register' this new instance, all subsequent requests which have this hash will authenticate to that instance.

also, use SSL encrypted connections to prevent sniffing.

Please don't solve this with security through obscurity like XORing all over the place, people will find out.

Oh and btw, if you're problem is about the data integrity itself, you can't fix that. The data sent is always user-supplied since everything that the machine does is under control of that user (assumingly).

Garuda
  • 374
  • 1
  • 5
  • thanks @garuda: before writing the post I had that already in mind. but the issue is mroe or less: Lets say to update db I send data to remote as http://remote/update/?data= but if it is not being updated by the plugin, anyone can run using browser to add to db, or run a shell script to multiply these records – whizzzkid Oct 18 '12 at 04:26
  • What I had initially planned was: the user updates data into database, and the update page returns a id hash, so the next time the plugin updates, it can only update if it contains only that hash, and that is regenerated at every query! – whizzzkid Oct 18 '12 at 04:29