The interface of the ape-eyes of the Big Liar program

Opening

魂淡别碰的孩子(接口), as the back-end program ape himself wrote 接口 like his own 孩子 , altogether made out, it will be responsible for his future life in the end;
With the expansion of business, need to support the business interface is also more and more, the use of users, eyeing the hackers see the machine and move, always in the business to seek the interests of others to steal the entrance, so we should consider more security issues, to prevent in the bud.

Scene

Server-side program apes develop business-related interfaces to meet the needs of user and server interactions, and are available to front-end or client (PC-side software, app-side applications), most of which are only considered for the logical function of the business when developing the interface. And often rarely to consider the security of the interface, the General Service Provider interface is HTTP/HTTPS protocol, through the fiddler,wireshark,charles, such as grasping the package tool, you can crawl to the request, and then analyze, simulate the request, make concurrent requests, Or an attack that modifies the information.

Example: Question 1. Interface exposes user privacy information is the equivalent of naked in broad daylight, is seen

Description: The program ape in the business interface often do not protect the user's awareness of privacy, the user's privacy information exposed, once used by people will bring trouble to users, at the same time be found to reduce the trust of the platform;

Anti -:

1. User privacy data encryption, plus * number, such as the user's relevant data JSON in the user's mobile phone number, user mailbox, payment account, mailing address and other privacy data;
2. The user requests the interface to encrypt its privacy parameters: such as the user login request login interface, the user password needs to be reversible encryption, so that the interface is not captured by the malicious agent request plaintext password;
3. Do not use clear-text user ID in the shared address, or token that the user is logged into

Question 2. The interface exposes sensitive information as if the key is not unplugged at the key, as long as you open the door and you can enter.

The data JSON collection of the user participation activity does not have conclusive data about the activity-related business logic, such as: Auction bid activity, bid only the lowest person to take the prize, the result gets bid the interface exposes the price statistic result of all bids.

Anti -:

1. In the data, you need to add a sensitive field, or some string in a field that is decisive for the business, plus *;

3. Data is taken away (main business interface JSON data such as: Home Product list data)

Description: JSON data in the interface will be taken by others to do their own related functions, resulting in additional server expenditure

Anti -:

1. IP request Volume limit, the time range request volume limit, and so on various restrictions IP request rule,
   such as: Statistical records (can be recorded in the Mongdb), the timing of monitoring records found that the number of requests greater than the limit of the amount of IP blocked;
2. The check of the request header, such as: user-agent Check the request header is not the app customer service initiated, Referer is not a source, the source domain name is not their own domain name address, etc. (this way can only be more than one threshold);

4. Counter switch, malicious modification request information (modify parameters, cookies, request header information)

Description: The request is initiated by modifying the parameters in the request, such as: Login interface to modify the user name and user password, password vault collision.

Warm tips:
Modifying request parameters can lead to a number of security issues, such as SQL injection, XSS cross-site scripting attacks, and so on, portals my "Big Talk program Ape Eyes Web Security" has related introduction and solutions
The following scenarios are for the client, such as PC software and App,web-side JS to do encryption is not very recommended, JS code is exposed, so if you use JS encryption must be confused JS code

Anti -:

1. Add a signature parameter, the parameter name of the logical sort combination splicing + secret key MD5, and then the service side to accept the request when the same logic to get the signature and signature parameters to compare whether the same, so that the parameters can not be modified, modify the prompt for illegal requests. such as: interface http://www.test.com/go/?actid=1&userid=123 We can add a sign parameter = MD5 (actid=1&userid=123& "secret") " Secret "= secret key, own definition. Service side with the same logic to get ciphertext and sign signature to compare whether the same, not the same prompt illegal requests.

2. Reversible encryption of the entire parameter content
3. Limiting the parameter range, such as: Support Paging interface, many people will be convenient to use, add the parameter is pagesize (a page of data volume), when not to limit the maximum page number, if the table data is large, and then the attacker modifies the pagesize parameter is n million, and then the database will collapse, Related business was hung up.

Issue 5. Shadow ubiquitous, impersonation request, initiating concurrent request

Description: A request is captured by grabbing the package tool, such as simulating a daily check-in request, or initiating a concurrent request for daily sign-in.
Warm tip: When the request and how to ensure the integrity of the data, consistency issues, which is also the usual development of the need to pay attention to the problem, portal my "Big liar programmer eye High Concurrency" has relevant introduction and solutions.

Anti -:

1. Analog concurrent requests, IP throttling as above problem 2 solution.
2. The request information takes time (reversibly encrypted time), the server gets the time, and the return request exceeds the time limit (the purpose is to make the fetched request not always valid).
3. User token, such as identifying the user important information data, save the cookie needs to set the expiration time, or the encrypted plaintext to have the time of creation, the service side to do the corresponding time lapse limit, so that even if the cookie is stolen by others, the simulation request will also expire with time;

Summarize

We need to improve our security awareness, to prevent the situation, to stand in the attacker's view of their interface; (Let yourself have a feeling of being paranoid, you are a step closer to mental illness,< (￣︶￣)) do not develop the needs of the robot, we are creative developers thinking;

Additional personal development process

In the review of the requirements of the business logic to put forward, and give the choice of solutions;
Determine the requirements after the entire business logic of the carding clear, complex can draw a flowchart;
According to the requirements of the design implementation, you need to consider performance issues [database pressure, server pressure], security issues, in the form of documents to record their own design plan. (can go deep into how the code level is implemented);
List the function points of the demand, evaluate their own time, get the total work hours;
Start development, open dry;

The interface of the ape-eyes of the Big Liar program