Objective
If the request information is intercepted by others when accessing a webapi, it is good to get the data if the GET request, if it is post data, it is bound to threaten the data security, so for a high security requirements of the API, the authentication of each request is particularly important;
Prevention Policy Analysis
Strategy 1
When the client sends an HTTP request to access the API, a mutually agreed key is set in the request header;
Knowledge Points:
1, if the Django program to send the request header, headers carry content including the slide bar _,django will not know;
2, the client AUTH-API-----> Service End into the ' HTTP_AUTH_API ' format
3, the service side to obtain clent_key=request. Meta.get (' Http_auth_api ')
Client
ImportRequestskey='sssdkjrjefjewfakfhkj'respose=requests.get (url='http://127.0.0.1:8000/test.html/', headers={'Auth-api': Key}). Text#if the request header is sent to the Django program, if the content inside the headers uses the slide bar _,django will not know;#AUTH-API-----> Convert to ' http_auth_api ' format#get Clent_key=request on the server side. Meta.get (' Http_auth_api ')Print(respose)
View Code
Service side
defTest (Request): Key='sssdkjrjefjewfakfhkj'Clent_key=request. Meta.get ('Http_auth_api') ifClent_key = =Key:returnHttpResponse ('you got me.') Else: returnHttpResponse (' Don't')
View Code
Vulnerability: Although the two sides agreed to the key, but the request header will still be intercepted;
Strategy 2
1.key+ Current client timestamp consists of 1 MD5 encrypted strings
2.MD5 Encrypted String | The current timestamp consists of 1 strings of passwords, Hearder carry
3. The server receives the 1 string of passwords sent by the client, split out the client time
4. Client time + server key do MD5 encryption restore, compare client and server side
Client
ImportRequestsImport TimeImportHashlibkey='sssdkjrjefjewfakfhkj'CTime=Str (time.time ())defMD5 (ARG): HS=hashlib.md5 () hs.update (Arg.encode ('Utf-8'))#python3 encryption using byte types returnhs.hexdigest () New_key='%s|%s'% (Key,ctime)#sssdkjrjefjewfakfhkj | time stampMd5_str=MD5 (new_key) Auth_api_val='%s|%s'% (Md5_str,ctime)#d0e0ca7d1f8f72d60715696d4baac3b2 (results after key and timestamp encryption) | timestampPrint(MD5_STR) respose=requests.get (url='http://127.0.0.1:8000/test.html/', headers={'Auth-api': Auth_api_val}). TextPrint(respose)
View Code
Service side
ImportHashlibImport TimedefMD5 (ARG): HS=hashlib.md5 () hs.update (Arg.encode ('Utf-8'))#python3 encryption using byte types returnhs.hexdigest ()defTest (Request): Key='sssdkjrjefjewfakfhkj'Auth_api_val=request. Meta.get ('Http_auth_api')#052dd27c130f4b9b5a8a4ec4b243962d | 1507374976.4620001Client_md5_str,client_ctime =auth_api_val.split ('|', Maxsplit=1) Server_md5_str=MD5 ('%s|%s'%(key,client_ctime))ifclient_md5_str==Server_md5_str:returnHttpResponse ('you got me.') Else: returnHttpResponse (' Don't')
View Code
Vulnerability: Toss for a while can be dynamically encrypted, but still can get to, and the client will generate a lot of encrypted strings, hackers get any one can access to the API
Strategy 3
1.key+ Current client timestamp consists of 1 MD5 encrypted strings
2.MD5 Encrypted String | The current timestamp consists of 1 strings of passwords, Hearder carry
3. The server receives the 1 string of passwords sent by the client, split out the client time
4. Client time + server key do MD5 encryption restore, compare client and service side is equal
5. Dynamic password has a time limit, more than 5 seconds invalid
Client
ImportRequestsImport TimeImportHashlibkey='sssdkjrjefjewfakfhkj'CTime=Str (time.time ())defMD5 (ARG): HS=hashlib.md5 () hs.update (Arg.encode ('Utf-8'))#python3 encryption using byte types returnhs.hexdigest () New_key='%s|%s'% (Key,ctime)#sssdkjrjefjewfakfhkj | time stampMd5_str=MD5 (new_key) Auth_api_val='%s|%s'% (Md5_str,ctime)#d0e0ca7d1f8f72d60715696d4baac3b2 (results after key and timestamp encryption) | timestampPrint(MD5_STR) respose=requests.get (url='http://127.0.0.1:8000/test.html/', headers={'Auth-api': Auth_api_val}). TextPrint(respose)
View Code
Service side
defTest (Request): Server_float_ctime=time.time () key='sssdkjrjefjewfakfhkj'Auth_api_val=request. Meta.get ('Http_auth_api')#052dd27c130f4b9b5a8a4ec4b243962d | 1507374976.4620001Client_md5_str,client_ctime =auth_api_val.split ('|', Maxsplit=1) Client_float_ctime=float (client_ctime)ifClient_float_ctime+5 <Server_float_ctime:returnHttpResponse ('I want to crack the password in 5 seconds .') Server_md5_str= MD5 ('%s|%s'%(key, client_ctime))ifclient_md5_str==Server_md5_str:returnHttpResponse ('you got me.') Else: returnHttpResponse (' Don't')
View Code
Vulnerability: Although encrypted strings have a time limit, time is a vulnerability
Strategy 4
1.key+ Current client timestamp consists of 1 MD5 encrypted strings
2.MD5 Encrypted String | The current timestamp consists of 1 strings of passwords, Hearder carry
3. The server receives the 1 string of passwords sent by the client, split out the client time
4. Client time + server key do MD5 encryption restore, compare client and service side is equal
5. Dynamic + encryption string + time limit, more than 5 seconds invalid
6. Record the last 5 seconds of access to the client's encrypted string, if the current client is using a string that exists in the record, the description is stolen (because the Access API will carry a different cryptographic string each time the user is logged in)
Client
ImportRequestsImport TimeImportHashlibkey='sssdkjrjefjewfakfhkj'CTime=Str (time.time ())defMD5 (ARG): HS=hashlib.md5 () hs.update (Arg.encode ('Utf-8'))#python3 encryption using byte types returnhs.hexdigest () New_key='%s|%s'% (Key,ctime)#sssdkjrjefjewfakfhkj | time stampMd5_str=MD5 (new_key) Auth_api_val='%s|%s'% (Md5_str,ctime)#d0e0ca7d1f8f72d60715696d4baac3b2 (results after key and timestamp encryption) | timestampPrint(MD5_STR) respose=requests.get (url='http://127.0.0.1:8000/test.html/', headers={'Auth-api': Auth_api_val}). TextPrint(respose)#if the request header is sent to the Django program, if the content inside the headers uses the slide bar _,django will not know;#AUTH-API-----> Convert to ' http_auth_api ' format#get Clent_key=request on the server side. Meta.get (' Http_auth_api ')
View Code
Service side
ImportHashlibImport TimedefMD5 (ARG): HS=hashlib.md5 () hs.update (Arg.encode ('Utf-8'))#python3 encryption using byte types returnhs.hexdigest () Visited_keys={}#using memcached Redis timeout time 5 secondsdefTest (Request): Server_float_ctime=time.time () key='sssdkjrjefjewfakfhkj'Auth_api_val=request. Meta.get ('Http_auth_api')#052dd27c130f4b9b5a8a4ec4b243962d | 1507374976.4620001Client_md5_str,client_ctime =auth_api_val.split ('|', Maxsplit=1) Client_float_ctime=float (client_ctime)#1th time limit ifClient_float_ctime+5 <Server_float_ctime:returnHttpResponse ('I want to crack the password in 5 seconds .') #second off MD5 encryptionServer_md5_str = MD5 ('%s|%s'%(key, client_ctime))ifClient_md5_str! =Server_md5_str:returnHttpResponse (' Don't') #Third off ifVisited_keys.get (CLIENT_MD5_STR):returnHttpResponse ('you give up.') Visited_keys[client_md5_str]=Client_float_ctimereturnHttpResponse ('OK')
View Code
Loophole: Wait for you crossing to add ....
API Validation Plugin