0

Introduction

I have an application with a build-in registration form. The registration form simply does a POST to my webserver and it will create the account for the user. Let's say the register page (on the server) is found at https://mywebsite/register.php, what stops the user from manually going there and register the account himself (when sending POST arguments to it, there is obviously no HTML form fields or anything there).

The user can simply put a proxy between my application and the webserver, get the requests and modify them. This might not sound like an issue to most of you, but for some functions (the webserver does more than handling registration requests) I need to know that the request came from the application and not from the user.

My question

How do I know the request came from the application and is unmodified? Personally, I have thought about encrypting the data (additionally to https) by some formula (like those hardware authenticators do) and decrypt them on the webserver.

I'd like to hear your thoughts on this and possibly your solution to this.

Devator
  • 3,686
  • 4
  • 33
  • 52

2 Answers2

0

There is no difference between a browser and a malicious user with some tools. Anything a browser can read and send, a user can too. Clientside (JavaScript, HTTPS) encryption is not going to help, as a user can simply extract the encryption method used from your page and repeat the encryption with their own data.

If you want to prevent POSTing random data, you could use an anti-forgery-token. If you can explain how your application sends data to the server and how (and why) exactly you would like to protect that, perhaps a more useful answer can be given.

Community
  • 1
  • 1
CodeCaster
  • 147,647
  • 23
  • 218
  • 272
-1

In case you choose the encryption way:

You don't need to encrypt all of the data, just one field is enough , you just need to make sure that the source of the POST request is from your application and not something manually.

My solution to you would be to add a hidden field that will hold an encrypted value that will depends on something dynamic (session_id , time , user's email) and use the same encryption key as a decryption key in your php file.

Ofir Baruch
  • 10,323
  • 2
  • 26
  • 39
  • The user can still do a request to get this hidden input with the encryption key and then send arbitrary data back using this key. You say: _"you just need to make sure that the source of the POST request is from your application and not something manually"_, but that was OP's question: _"How do I know the request came from the application and is unmodified?"_. – CodeCaster May 21 '13 at 08:43
  • The user should not be able to know what the key is. If for instance the key would based on `time` , even if he use the encryption value - it won't matter since that `time` is no longer relevant. correct me if I'm wrong – Ofir Baruch May 21 '13 at 08:45
  • _"The user should not be able to know what the key is."_ - then how will the user (or the application) encrypt data? Hidden HTML fields aren't really hidden. – CodeCaster May 21 '13 at 08:52