Can someone advise me how can I encrypt the XHR response with Coldfusion? I have some tables that I create with Datatable, BootstrapTable and serverside function in a CFC.The problem is that the JSON that I get back is unencrypted so anyone can see the column names and other sensitive informations.As I don't have a lot of experience with Coldfusion, and JS I couldn't find a good implementation for this. Is encrypt function better that hash function? For the login part I created a hash system with salt SHA-512 system. But I couldn't find a way to encrypt the JSON in the CFC and decrypt it in the FrontEnd with JS or CF. I use Coldfusion 9 Enterprise. Any advise is helpful.
You want to encrypt the data that's going to be displayed in the HTML anyway? To #AlexBaban's point, this is nothing to be concerned with. If you want to "hide" the actual database column names, just select them with an alias: select tableID as totally_not_my_pk_column.
You should only be retuning data related to a logged in user's roles or privileges. There should be no "sensitive information" returned that they aren't allowed to see.
Update:
For example if i enable the sorting for 2 columns and i set a different name when i try to sort one of those columns because the query is done again to display the new set of data it needs the name of the column otherwise it will break
How are you handling the data submissions? If you submit to a function with arguments, you can do data type validation, data requirement validation and abstract out the communication between the grid control and the database. If your function argument was sort_column, you pass the grid's sort control value and handle mapping the "alias" to the column's real name in your query.
Related
I am wondering about the right way of validating data on client and server side.
I have spreadsheet, made with JExcel addon, and I have to check if any user has changed headers. Spreadsheet data is generated using pivot function in database, so the column count and order would vary.
I locked all possibilities of headers editing by ordinary users, but if someone knows how to use console, it may be unlocked. The pivot is similar to the picture below:
The JExcel loads data from dynamic JSON generated by PHP script. I can calculate "checksum" for header order, but how to validate it when user will update spreadsheet? I have to validate if user sends spreadsheet based on the same pattern.
How to do it in best way?
EDIT:
I created process logic:
When the data is called by the user, php generates datahash and assigns it to the php session_id.
Session_id is coded into md5 as well as datahash and all is saved to mysql database.
The datahash is passed via http headers with ajax response (to deliver hash for the client-side verification)
After the data is sent back, server reads all hashes generated within current php session.
If any hash matches - data is valid. This solution is good, because I only need info if this data has been sent to user.
You can use some JWT to sign your data in the server-side.
Development Language: Python
Framework: Django 1.11
SQL: PostgreSQL
I have this page that lists all job vacancies in a table. On each row, I have an action link at the end that opens a modal containing more information of the vacancy.
Data layout of the modal is already prepared, I just execute an ajax call so that the dynamic data gets updated with values related to the selected row i.e. monthly salary, office designation, etc.
Here is how my modal looks:
In my views.py, the way I throw the ajax response is by returning a HttpResponse(data, content_type="application/json") which results to having this as a json response:
The above response is via a SELECT * query. Some of those data are primary key value of referenced tables such as the office table.
My questions are:
Is it a good idea for me to return such json response?
Instead of using SELECT *, should I specify the fields I only need so I don't need to worry about those PK values being available for potential hacking?
I think it depends on what other actions you are able to do in your website if a PK is known by a potential exploiter. If they can only use it to construct URLs eg: https://somedomain.com/job/1234/view then it's clearly not an issue if the PK is returned. However, if they can construct a payload to POST to a delete endpoint and you haven't got the correct cross origin and functional authorization in place, then it really will be a huge issue!
From a pure security view point, my starting position would always be to not return PKs unless you have a good reason and you know you have correct security in place everywhere it's needed (including access to your DB server).
Say in my ajax request page, I have a row of results pulled from the database that looks something like this:
while ($stmt->fetch()) {
echo "<p value='".$taskId."' class='titleRsltTask'>".$taskTitle."</p><br>";
}
Here $taskId is the primary key for the row returned. When the results are returned to the DOM, a user can inspect and change this id. Say I have another ajax request to delete or update the above results when .titleRsltTask is clicked,
$(document).ready(function(){
$('.titleRsltTask').click(function(){
id = $(this).attr('value');
$('#taskResults').load('Includes/updateTask.inc.php', {
Id: id
});
});
which uses the value $taskId to find which row to update in updateTask.inc.php.
What are some ways I can verify that the row that the user is updating belongs to them so that they can't update any rows in the table by changing the value in the inspect element?
Is there a better way to set this up in the first place? Does using an SSL help in any way?
Are there other security measures you want to point out, I'd be glad to hear them.
I've done some research on authorization, authentication, and encryption but still not exactly sure what to do in this situation.
I do understand your concern about security, as the value returned are auto incremented numbers.
Using a ssl wont encrypt or provide you any security with such things.
SSL only encrypts other users connection to your website.
SSL encrypts the packets transmitted to your website.
One way you could apply additional layer of security is by encrypting the numeric id returned from the server using some salt algorithm and displaying it in the view in encrypted format.And then decrypt it at the server.
Updating and changing the encrypted value wont do any good even if someone changes it using inspect element, as that would not be processed into a valid value when being decrypted in the server.
Hope this helps.
Thanks
You should reconsider your table structure. If users are only able to change certain row, then on each row include the user ID that can edit it, use authentication with the request (by including a session cookie etc), and add that logic to the UPDATE command. If a group of users can change certain rows, then have an extra column specifying the group ID/privilege, and ensure each user has a privilege level set.
In my react based single page application, my page is divided in two panes.
Left Pane: Filter Panel.
Right Pane: Grid (table containing data that passes through applied filters)
In summary, I have an application that looks very similar to amazon.com. By default, when user hits an application's root endpoint (/) in the browser, I fetch last 7 days of data from the server and show it inside the grid.
Filter panel has couple of filters (e.g. time filter to fetch data that falls inside specified time interval, Ids to search data with specific id etc.) and a search button attached in the header of filter panel. Hitting search button makes a post call to a server by giving selected filters inside post form body, server returns back data that matches filters passed and my frontend application displays this data returned back from the server inside grid.
Now, when someone hits search button in the filter panel I want to reflect selected filters in the query parameter of the URL, because it will help me to share these URLs with other users of my website, so that they can see filters I applied and see data inside the grid matching these filters only.
Problem here is, if on search button click, I use http get with query parameters, I will endup breaking application because of limit imposed on URL length by different browsers.
Please suggest me correct solution to create such URLs that will help me to set the selected filters in the filter panel without causing any side effect in my application.
Possible solution: Considering the fact that we cannot directly add plain strings in query parameter because of URL length limitation from different browsers (Note: Specification does not limit the length of an HTTP Get request but different browsers implement their own limitations), we can use something like message digest or hash (convert input of arbitrary length into an output of fixed length) and save it in DB for server to understand the request and serve content back. This is just a thought, I am not sure whether this is an ideal solution to this problem.
Behavior of other heavily used websites:
amazon.com, newegg.com -> uses hashed urls.
kayak.com -> since they have very well defined keywords, they use
short forms like IN for INDIA, BLR for Bangalore etc. and combine
this with negation logic to further optimize maximum url length. Not
checked but this will ideally break after large selection of filters.
flipkart.com -> appends strings directly to query parameters and breaks
after limit is breached. verified this.
In response to #cauchy's answer, we need to make a distinction between hashing and encryption.
Hashing
Hashes are by necessity irreversible. In order to map the hash to the specific filter combination, you would either need to
hash each permutation of filters on the server for every request to try matching the requested hash (computationally intensive) or
store a map of hash to filter combination on the server (memory intensive).
For the vast majority of cases, option 1 is going to be too slow. Depending on the number of filters and options, option B may require a sizable map, but it's still your best option.
Encryption
In this scheme, the server would send its public key to the client, then the client could use that to encrypt its filter options. The server would then decrypt the encrypted data with its private key. This is good, but your encrypted data will not be fixed length. So, as more options are selected, you run into the same problem of indeterminate parameter length.
Thus, in order to ensure your URL is short for any number of filters and options, you will need to maintain a mapping of hash->selection on the server.
How should we handle permanent vs temporary links?
You mentioned in your comment above
If we use some persistent store to save the mapping between this hash to actual filters, we would ideally want to segregate long-lived "permalinks" from short-lived ephemeral URLs, and use that understanding to efficiently expire the short-lived hashes.
You likely have a service on the server that handles all of the filters that you support in your application. The trick here is letting that service also manage the hashmap. As more filters and options are added/removed, the service will need to re-hash each permutation of filter selections.
If you need strong support for permalinks, then whenever you remove filters or options, you'll want to maintain the "expired" hashes and change their mapping to point to a reasonable alternative hash.
When do we update hashes in our DB?
There are lots of options, but I would generally prefer build time. If you're using a CI solution like Jenkins, Travis, AWS CodePipeline, etc., then you can add a build step to update your DB. Basically, you're going to...
Keep a persistent record of all the existing supported filters.
On build, check to see if there are any new filters. If so...
Add those filters to the record from step 1.
Hash all new filter permutations (just those that include your new filters) and store those in the hash DB
Check to see if any filters have been removed. If so...
Remove those filters from the record from step 1.
Find all the hashes for permutations that include those filters and either...
remove those hashes from the DB (weak permalinks), or
Point that hash to a reasonable alternative hash in the DB (strong permalinks)
Lets analyse your problem and the solution possible.
Problem : You want a URL which has information about the filter applied so that when you share that URL user doesn't land on arbitrary page.
Solutions:
1) Append filter applied with URL. To achieve this you will need to shorten the key of type of filter and the value of filter so that Length of URL don't exceed much for each filter.
Drawback: This is not most reliable solution as the number of filter increase URL length has to increase no other option.
2) Append a unique key of filter applied(hash) with URL. To achieve this you will need to do some changes on server and client both. On client side you will need a encoding algorithm which convert filter applied to unique hash. On server side you will need decoding algorithm which convert unique hash to filter applied. SO now client whenever a URL like this is hit you can make a POST api call which take this hash give you the array of filter applied or on client side only put the logic to convert this hash.
Do all this in componentWillMount to avoid any side effect.
I think 2nd solution is scalable and efficient in almost all cases.
The use case is - user will request some data, user can edit that data and user can persist data on server side. In this scenario I want to have some integrity of data. Here legitimate use can resend the request from Developer tool by putting some malicious values(user is editing in rich text editor) in the JSON data.
To resolve this I am using an approach of calculating MD5/SHA256 of JSON data and send that hash along with data and at server side recalculate the hash from data and compare that hash with input hash. To make it tough I am using salt while generating the hash. The approach I am using is when user logs in- create a Salt and store that in user's session. When user requests the page i am sending the Salt in ModalMap. When user sends request to persist that JSON data, I will use the salt+data to generate hash
Now, my problem here is I want the salt to be hidden from user. The EL evaluated attributes are visible to user from page source and same is the case for scriptlet or jstl.
So, is there any way of accessing some attribute secretly on JSP page?.
I understand that when JSP gets parsed all those tags gets evaluated.
Minification of JS will make it little harder to find but is will not be impossible to retrieve the salt value.
I also understand that I should have such logic at server side but the requirement is preventing me to do that.
If I cannot access attributes secretly then is there any other approach of doing that?.
I have not included any source code here because it's generic.