Skip to main content

Protecting APIs against Replay Attack

Replay attacks are very popular against public APIs. 

What is a replay attack ?

When an attacker intercepts a valid HTTP request to your API and then replay the same request again and again tricking your API into thinking that it is a valid HTTP request coming from your user.

Protection

Here is a very simple method that I use to protect my APIs from Replay Attacks.

Client side steps

1. Generate a unique token on server for the device when app is used for the first time or if app requires login then generate token on successful login.

2. Whenever app makes a call to server it adds the following in HTTP headers

  • Token
  • 128 characters long random value (call it Random1)
  • Current Unix Timestamp of device
  • SHA256 of "Token+|||+Random1+|||+Timestamp" (call this result Random2)

Server side steps

When a HTTP request is received by any API it takes the following steps to verify the validity of request

  1. Check if Token is a valid token that exists in database (you can implement expiry mechanism to make it more secure)
  2. Check if Timestamp is valid
  3. Calculate SHA256 of "Token+|||+Random1+|||+Timestamp" and compare it with Random2 present in request headers.
  4. Check if this SHA256 result does not already exists in your database
  5. Save SHA256 result in database 

You can make it more secure by adding more random numbers. In my example you can see I have 3 pipes hardcoded twice (Token+|||+Random1+|||+Timestamp). You can make number of pipes random and then pass those random numbers in request headers.

Comments

Post a Comment

Share your wisdom

Popular posts from this blog

Decoding JPEG image file using libavcodec

I got a chance to work on a video encoding application that decodes series of jpeg files and convert them into ogg theora video file. I used the infamous libavcodec library that is used in FFMPEG . I decided to write blog posts explaining how I decode jpeg images and convert them into ogg video file. This is the first part and in this I will explain how to decode jpeg images using libavcodec. To learn how to write decoded images as a ogg video file please read http://random-stuff-mine.blogspot.com/2017/07/encoding-raw-images-to-ogg-theora-video.html Before reading this blog post you must be aware of using and setting up libavcodec. I highly recommend this tutorial to get basics of using libavcodec http://www.ffmpeg.org/doxygen/0.6/api-example_8c-source.html Allocating input format context We will first allocate input format for reading the file. We will use avformat_open_input function that will allocate AVFormatContext structure passed to it , the function detects input typ
Post a Comment
Read more

CryptographicException: An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information

I created a new Blazor Server app in Visual Studio 2019 and tried to run it. But I was getting this error CryptographicException: An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information. I couldn't find any reason or solution to this problem. I tried creating the project multiple times but same error. I created a new .Net Core Web App and added a new razor component and included that component in a razor page (cshtml file) like this @(await Html.RenderComponentAsync<GeofenceWork>(RenderMode.ServerPrerendered)) and <component type="typeof(GeofenceWork)" render-mode="serverprerendered" /> As soon as I navigate to this page that has component added I got the same error: CryptographicException: An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information. This was very frustrating. After hours of trying and searching I figured out the solution. 
Post a Comment
Read more

Multithreaded C# TCP server to handle multiple clients

I decided to write a minimal multithreaded TCP based server as a blog post. Following class can serve as a skeleton for any small or large scale multithreaded TCP socket server. It do not contain much error handling , it is only to give an idea that how multithreaded server works and how it can process multiple clients using threading. using System; using System.Text; using System.Net; using System.Net.Sockets; using System.Threading; using System.Collections.Generic; namespace RandomStuffMine { public class MTServer {     public int Port{get;set;}     public Socket ServerSocket{get;set;}     private List<Client> Clients=new List<Client>();     private bool runServer=true;     public MTServer(int port)     {         Port=port;         ServerSocket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);     }     public void Start()     {         Thread thr=new Thread(new ThreadStart(StartServer));         thr.IsBackground=t
1 comment
Read more