I am currently in a situation as follows -
I am currently hosting a private webapp, which involves the sending of AJAX calls to the database server and displaying the results. (REST Architecture)
Users can query the database by toggling various buttons, which correspond to a specific query that performs the above operation.
Users have access to the entire database (product feature). However, we only allow the retrieval of a small portion of the database in a single call.
However, I do not want the user to be a able to create a bot that is able to recreate the entire database in a short period of time. At the moment, a user could easily do so by duplicating the HTTP request (access to JS script/packet analyzer).
I have considered the following solutions -
Bot detection algorithms
Captcha
iframe
disabling the ability to read source code/JS files with a custom browser
I would like to find out if any of these solutions are feasible, or if there are any better alternatives/architecture available. I just want to prevent the scrapping of the database.
Please help! Thank you!
Related
I am a beginner to web development, and I am trying to do a notification system with AJAX and jQuery.
In my web application, I have a comment system where you can mention another user. After a comment mentioning a certain user has been written, a new entry on my notifications table will be added, containing the comment, the id of the user who commented and the id of the user(s) who will receive the comment. After the notification is stored in the database, I want the person that was mentioned to receive the notification.
To that effect, I decided to use AJAX. Using the setTimeout() method, I am sending an AJAX request to the database every 2 seconds, and with that, I can display the notifications visually to the user that is meant to receive them.
My only concern is that this will slow down the site once I connect it with a server.
So, I was looking for a way that would allow me to implement a notifications system without slowing the site too much, since the one that I am using currently doesn't seem very efficient.
I would appreciate any help.
I got questions about security. lets say I have data in a div like so
<div id="Q9vX" class="mainContent" data-compname="comp1" data-user="57f70c8e78ae49d41c78876a" data-shortid="Hy85nKVR">
and I do a post request that sends the compname and user id .Couldn't someone change the data-user attribute value before it was sent? Since I'm doing DB operations based on the ID in the div can someone change the id and have the operation occur for the id the villain entered and not the one I initially intended. . I use mongodb, heroku, express. I'm afraid of sessions because they expire and I'm not too comfortable with them. What is the standard procedure for something like this?
For example this div is for a review placed by a user that has the id 57f70c8e78ae49d41c78876a. So if everything went normal and the user presses submit the review will be assigned to that users's Id. but lets say someone decides to go into firebug and changes the id would the review be registered to this new ID?
The value could be changed a user through the developer tools or through a cross site scripting attack where malicious code is injected onto the page. This could be done a number of ways such as adding the code to a file on your server, adding the code to your database if it uses a CMS, or through another means such as a browser extension.
If you have no server side access controls, someone could write a script that compromises the availability or integrity of your data. The availability could be compromised through a denial of service attack where thousands of fake requests are sent to the server trying to exceed the number of concurrent database connections preventing a legitimate user from connecting. The data integrity could be compromised by sending lots of fake requests to the database which could be difficult and time consuming to identify and remove. Also if the review is like a comment box where users can enter data that's displayed on the site, it could be used to inject malicious cross site scripting code.
If you are concerned about security I recommend that you implement access control such as sessions, sanitize the data coming in and going out of your database, and use a secure HTTP connection on your web server.
The Express JS website have an article about security best practices.
I know that direct access to a database via Javasript is not recommended, since the user would get the database login and thus the ability to manipulate the database.
But in my case, the user cannot see the client-side code, since it's a phonegap app.
Is there a way to do it? And it not, what is a good way to do with a serverside part?
its really not recommened to access database from client-side its not only for security reasons, but what if you changed the database access or upgrade to different database, so you will have to change it in your app which you may not be able to access again after users installed if its mobile app and then you stuck to your database for ever,
so whatever you want to do you can add an action in server-side and depend on your params it will formulate your Query,
for example sending parameter for user=true this will search for users tables, sending parameter for account=true will search in users-accounts tables and so on.
I am curious about submitting a form data internally.
Here is an example.
I want to register an account for a website. The website will give a form to register which upon submitting will create an account for me.
But I don't want to go to that site. Instead I'll give a form in my style and collect the same information. Upon submit, I want to create the account automatically. Automatically in the sense, I'll submit the form internally.
The reason why I need this feature is, I don't want my users to create a separate account in another website also. I mean it should save user's time in creating account only. Rest of the things will be taken care by me.
Please let me know if anyone had tried this and had success.
I know it is very difficult for existing accounts and some internal errors. But I also need to track them.
Please let know if this is possible or not.
An Example
There is site called othersite.com which has a form for creating / registering users.
I will a similar form to the user on mysite.com. But upon submit the form information is sent to both mysite.com and othersite.com. Both sites create accounts parallelly with a single form submission.
Unless you are working with AJAX requests and CORS enabled sites, which I assume is not the case, client side technologies ( browser/javascript ) will not help you much to do that.
You have to ask yourself what are the options to integrate with the second site in order to automatically create the account. Following some common patterns used these days:
REST API: You have an url where you can use HTTP to talk to and ask to create the account. Many social networks and other popular services usually expose it. Facebook API
Database: Although it is less recommended you could just insert a new record into the account table if you own and have access to the database used by the second site.
Client Libraries: Some sites provide client libraries so that you can use them together with your project code base. Eg: Twitter Libraries
I have a online user list which is populated by a SQL query to a database table.
When a new user comes online, how can i make the webpage automatically update?
What code do I need to provide?
Thanks
There are a few ways you could do this, but I'll avoid the most tempting WebSockets HTML5 new-ness and suggest the following:
When a user logs on, record the fact that they are logged on to the database.
From your page, poll a service or web page method that lists online users.
If the list changes, update the part of the page that shows the users.
That's the rough outline of what to do. If you need specifics please say what server-side host and programming language you are using. From the client side, please also mention what JavaScript framework you'd prefer or are open to.