Skip to main content

Protecting APIs against Replay Attack

Replay attacks are very popular against public APIs. 

What is a replay attack ?

When an attacker intercepts a valid HTTP request to your API and then replay the same request again and again tricking your API into thinking that it is a valid HTTP request coming from your user.

Protection

Here is a very simple method that I use to protect my APIs from Replay Attacks.

Client side steps

1. Generate a unique token on server for the device when app is used for the first time or if app requires login then generate token on successful login.

2. Whenever app makes a call to server it adds the following in HTTP headers

  • Token
  • 128 characters long random value (call it Random1)
  • Current Unix Timestamp of device
  • SHA256 of "Token+|||+Random1+|||+Timestamp" (call this result Random2)

Server side steps

When a HTTP request is received by any API it takes the following steps to verify the validity of request

  1. Check if Token is a valid token that exists in database (you can implement expiry mechanism to make it more secure)
  2. Check if Timestamp is valid
  3. Calculate SHA256 of "Token+|||+Random1+|||+Timestamp" and compare it with Random2 present in request headers.
  4. Check if this SHA256 result does not already exists in your database
  5. Save SHA256 result in database 

You can make it more secure by adding more random numbers. In my example you can see I have 3 pipes hardcoded twice (Token+|||+Random1+|||+Timestamp). You can make number of pipes random and then pass those random numbers in request headers.

Comments

Post a Comment

Share your wisdom

Popular posts from this blog

Multithreaded C# TCP server to handle multiple clients

I decided to write a minimal multithreaded TCP based server as a blog post. Following class can serve as a skeleton for any small or large scale multithreaded TCP socket server. It do not contain much error handling , it is only to give an idea that how multithreaded server works and how it can process multiple clients using threading. using System; using System.Text; using System.Net; using System.Net.Sockets; using System.Threading; using System.Collections.Generic; namespace RandomStuffMine { public class MTServer {     public int Port{get;set;}     public Socket ServerSocket{get;set;}     private List<Client> Clients=new List<Client>();     private bool runServer=true;     public MTServer(int port)     {         Port=port;         ServerSocket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);     }   ...
1 comment
Read more

Decoding JPEG image file using libavcodec

I got a chance to work on a video encoding application that decodes series of jpeg files and convert them into ogg theora video file. I used the infamous libavcodec library that is used in FFMPEG . I decided to write blog posts explaining how I decode jpeg images and convert them into ogg video file. This is the first part and in this I will explain how to decode jpeg images using libavcodec. To learn how to write decoded images as a ogg video file please read http://random-stuff-mine.blogspot.com/2017/07/encoding-raw-images-to-ogg-theora-video.html Before reading this blog post you must be aware of using and setting up libavcodec. I highly recommend this tutorial to get basics of using libavcodec http://www.ffmpeg.org/doxygen/0.6/api-example_8c-source.html Allocating input format context We will first allocate input format for reading the file. We will use avformat_open_input function that will allocate AVFormatContext structure passed to it , the function detects input typ...
Post a Comment
Read more

Encoding raw images to Ogg Theora video using libavcodec

In one of the blog posts we learned how to decode jpeg images using libavcodec. This is the second part of that post. In this we will learn how to encode decoded images (raw images) to theora and write them in ogg video file. In the end of the first part we saved our raw image in raw_data variable and its length in raw_data_size variable. Lets assume that we packaged all our decoding code in one function called "decode_jpeg_image" which has following signature int decode_jpeg_image(char *filename,int file_name_size,uint8_t *raw_data,int *raw_data_size) filename = name of jpeg file to decode file_name_size = length of jpeg file's name raw_data = contains decoded raw image on return raw_data_size = contains length of raw_data on return Now let's start working on how to encode this image in raw_data to theora and write that image to ogg video file. Finding Theora encoder We first have to find encoder for THEORA which is represented by AVCodec structure. He...
1 comment
Read more