I hope everyone is doing okay.
I’ve built a React.js website which is hosted in a server with SSL, but I’m not sure whether it’s secure or not. That’s why I decided to ask you for some advice/tips or solutions that will make my website secure.
In this app, I require the user to log in. After the user logs in, my app proceeds to send the credentials (with a Post Request) to my backend server, which is an API hosted in another domain. Then my API uses the post request data for web scraping and eventually returns some data to my frontend.
In the whole process, the only important data are the login credentials. What I did so far to make my website more secure was:
- Using SSL both on my backend and frontend
- I limited the number of requests that can be made to my backend server in a second/minute/hour/day.
- I only use one post request to transfer data between frontend-backend. (frontend sends a post request, backend sends a post request to the website that needs to be scraped, and returns frontend’s post request with scraped data)
- I don’t know the use of this but I read somewhere that using With Credentials in your post request makes it more secure? (I’m not sure about this one.)
(Also, it will be an open-source project, so people will be able to see ) I read that SSL will encrypt my post request, I also used Fiddler to see whether it’s encrypted or not, it was.
Is it possible for individuals with malicious intentions to trace the data I send with the post requests?
Do you think it’s secure enough?
I’m wondering how applications like Skype and Dropbox store access credentials securely on a user’s computer. I imagine the flow for doing this would look something like this:
- Prompt the user for a username/password if its the first time
- Acquire an access token using the user provided credentials
- Encrypt the token using a key which is just really a complex combination of some static parameters that the desktop application can generate deterministically. For example something like:
value = encrypt(data=token, key=[os_version]+[machine_uuid]+[username]+...)
value in the keychain on OSX or Credential Manager on Windows.
- Decrypt the
token when the application needs it by generating the
So two questions:
- Is what I described remotely close to what a typical desktop application that needs to store user access tokens long term does?
- How can a scheme like this be secure? Presumably, any combination of parameters we use to generate the the
key can also be generated by a piece of malware on the user’s computer. Do most applications just try to make this key as hard to generate as possible and keep their fingers crossed that no one guesses how it is generated?
There’s something I don’t get with RDP in a domain. During an authentication, if we’re using a local account of the distant machine, then the creds are in the SAM so all good.
But with a domain account, how is done the comparison ? How does RDP authentication works in this case ?
I’m working on an API that I’d like to be accessible internally by other servers as well as devices that I consider both as confidential private clients. Devices are considered private clients because the client_secret is stored in an encrypted area that prevents from unauthorised readout and modification (even though nothing is never bullet proof)
For auth, I’d like to use OAuth2 with the
client_credentials grant that seems to be a very good fit for these use cases. However I’m wondering how flexible is the standard regarding sharing the client_secret.
Basically the RFC doesn’t say much about sending your client id / client secret, it just offers an example here: https://tools.ietf.org/html/rfc6749#section-4.4.2 which is very simple by using the following header Authorization Basic: base64(client_id:client_secret)
In my opinion, it could be slightly more secure by computing a hash:
- the client requests a random to the server by sending their client_id
- the server replies with a random code (valid for like 10 mins, just like an authorization code)
- the client computes a hash = sha256(client_id, client_secret, code) and asks for a token
- the server computes the same hash, compares the client hash with the computed hash and sends an access token if they match
It would add an extra layer of security in case https is somehow broken or if anyone is able to read the header somehow.
However it doesn’t seem very OAuth2 compliant and I don’t really like re-inventing a standard. Another option would be to create my own extention grant, I’m just wondering if it’s really worth it, like no one seems to have done this.
Also, if I want to share my API with a 3rd party app, not sure it’s a good thing to force them into using something non really standard.
Facebook Apptoken uses OAuth2 client credential code. But the
client_secret are sent to the servier via HTTP GET method. Isn’t this unsecure ?
For instance, any node that has logging enabled between the client and the Facebook server will log the GET URL. Thus exposing login credentials in their logs in clear text.
I think it’s unsecured. Or am I missing something ? Are there other more secure ways to implement client credential that you know ?
Single Sign On in a company means that you have one set of credentials for all the services the company uses / provides to their employees.
Logically, these credentials might also be usable for Wifi.
- Benefits for the employee: Only one password to remember
- Benefits for the company: Wifi access can be revoked on a per-user basis. Administration is centralized.
Are there real-world examples and guidelines how to deal with the fact that Android smartphones store Wifi passwords on Google servers by default? Doesn’t this give Google access to the full digital identity of an employee and access to the company’s internal services?
- Asking users to turn this feature off on their phones seems to be error-prone and might be forgotten. Especially after a smartphone change.
- Prohibiting users to log in the company Wifi from their own devices is impractical and will probably even be ignored.
- Only company-managed phones are also no option, because of point 2.
Is SSO a bad idea concerning Wifi? How do large enterprises, universities, … but also small companies with less “enforceable” rules handle this?
I have a scenario for a penetration test in my mind. imagine i want to test a Linux base virtual server’s login credentials i scan the network with tools like nmap and find the systems with active ssh, then try to test the login credential’s strength (for example with hydra). is this scenario correct or you have other preferred instructions?
In this question I saw that you can use command key to store credentials and then just run a command like
mstsc /v:servername to connect to it without typing anything.
Additionally, you can delete it using the
/delete switch of
Is this at all safe? Or is it more like
ssh-agent where the key is held in memory for a specified period of time?
Assume Mallory knows the server, username and password that Alice uses to send email via smtp. Can Mallory read Alice’s email? Does it depend on the specific system or configuration?
We have a installer that we have built using scripts. When we start the installer, it asks for the database system user and password, which it needs to create application users. We do not want the user doing the installation to know the system user password. Hence we are looking for ways in which installation can go through without sharing the system user password. Few things we have explored. Encrypting the system user password using an utility. This is not very feasible, considering that we have to embed the key in the installer, which is not obfuscated/encrypted(basically user can read it by opening it) Obfuscating the utility used for encryption and installer. This was ok, but it is still unsafe, as obfuscation itself is not fool proof.
Is there any other way , this can be handled. Is there an Oracle API, that we can use? Please suggest.