Asked  1 Year ago    Answers:  5   Viewed   5 times

My friend and I are working on a program. This program is going to submit GET data to our webpage. However, we don't want users accessing the webpage any other way than the program. We can prevent users from sharing the program using HWID authentication, but nothing prevents them from using a packet scanner to get the URL of the webpage. We thought about user-agent authentication, which we will implement, but user-agents can easily be spoofed.

So my question is, how can we prevent users from accessing the webpage directly, instead of through the program?

Even if you don't have an answer that will completely work, anything that will help deter them would be nice.

Currently we will be implementing:

HWID Authentication to use the program User-Agent Authentication to access the web page Instant IP Blacklisting to anyone accessing the webpage without the proper User-Agent

 Answers

4

Do not rely on user agent or any kind of browser fingerprint, HTTP headers are easily forged/spoofed.

You could add some secret token (eg. password/login) to the request and send it through SSL to prevent eavesdropping.

Or better, use an SSL client certificate.

Edit Are you going to distribute the VB program? If so, as bobince mentioned, there's no way you can prevent a determined hacker to forge requests. You can raise the bar but it will be security through obscurity. Even with client certs, the hacker will be able to extract the cert from your program and send modified requests.

As long as you accept requests from the client, these requests can be forged. Deal with it.

Saturday, May 29, 2021
 
Wilk
 
3

This is what i do to check out that stuff:

if(strlen(strstr($_SERVER['HTTP_USER_AGENT'],"Firefox")) <= 0 ){ // if not firefox

  //do something

}

And added into your code:

function get_user_browser()
{
    $u_agent = $_SERVER['HTTP_USER_AGENT'];
    $ub = '';
    if(strlen(strstr($u_agent,"Firefox")) > 0 ){ 

      $ub = 'firefox';

    }
    else {
      $ub = 'other';
    }

    return $ub;
} 

if (isset($_GET['print']) && $_GET['print'] != "" 
                          && get_user_browser() == 'firefox') 
{
    $pg = $_GET['print'];
    if (!file_exists('1')) 
    {
        echo '<b>It worked!</b>';
    }
}
else 
{
    echo '';
}
Thursday, April 1, 2021
 
1

You could use a library like cURL to request the page with the iPhone user agent, and return that page to your site (be sure to expand relative URLs to absolute, with DOMDocument).

However, you may run into edge cases where CSS/JavaScript/images are served differently via the user agent. This is probably not worth requesting each of these assets on the off chance. You could limit the work by requesting once with your user agent, and then the iPhone user agent, doing md5_file() and seeing if they are different. I wouldn't bother though :P

You could also try this JavaScript...

navigator.__defineGetter__('userAgent', function(){
    return 'foo' // customized user agent
});

navigator.userAgent; // 'foo'

Source.

Also remember you may want to give a warning if your users aren't using Safari, which will be the closest to simulate Mobile Safari.

Wednesday, August 4, 2021
 
SubniC
 
5

Rearranging the HTML headers worked. here is the working script. one can use this as it is

use CGI;
my $html= new CGI;
#get the file name from URL ex. http://<server_IP>/cgi-bin/download.cgi?a=testing.txt
my $file= $html->param('a'); 
# $file is nothing but testing.txt
my $filepath= "/var/www/upload/$file";

print ("Content-Type:application/x-downloadn");
print "Content-Disposition: attachment; filename=$filenn";

open FILE, "< $filepath" or die "can't open : $!";
binmode FILE;
local $/ = 10240;
while (<FILE>){
    print $_;
}

    close FILE;
 # use Unlink if u want to delete the files after download.
#unlink ($filepath);
Thursday, August 12, 2021
 
2

The only way to guarantee information security is to hand roll your own encryption on the server. You could host your firebase connectivity server-side and have your user send the data to that via SSL and from there do your encryption and then use the SSL address of firebase to store.

On the clientside, things are suspect to CSS attacks. If you really want to go down this route you can use js encryption from this lib: http://code.google.com/p/crypto-js/. Note that crpto-js works well in isolation but you will also need to be sure your webpages are not tampered with (quite hard to do IMOP, cause you don't know whats infected the users machine)

Saturday, September 25, 2021
 
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 
Share