I'm building an interactive javascript application that needs to make some SOAP requests to a 3rd party server. The problem is the server only accepts basic WS-Security authentication, i.e. plaintext username and password. The simplest solution is to hardcode the username and password into the Javascript then make ajax calls, but obviously that is terrible from a security standpoint (someone can easily view the page source)
The only way I can think of to overcome this is to have a second server where the SOAP username and password is stored, say in a PHP file. Then the Javascript application can make a ajax call to the server, then the server runs the logic and authenticates with the SOAP server. Someone could still make ajax calls to the server outside of my page, but at least they couldn't get at the username and password
I'm thinkng there has to be a better solution, but I can't think of anything else, anyone have any other ideas? Thanks
I think that the best solution is to do the logic in the server side, and if you can, try to use ssl. then you make the ajax calls to the file that does the logic in the same server were you are serving the HTML/Javascript code.
Related
I've been tasked with creating an LDAP authentication on a front-end Javascript application.
I am extremely limited on time and have a very small toolset. The toolset is the front-end javascript application and an available C# application which I can make post and get requests to.
I was thinking I could simply make a call such as https://mybackend.com/authenticate
Where I would post a username and password.
And on the backend this would return whether or not the user was valid in the AD. Which I can then use on the front-end to ensure the user has logged in.
Is this approach extremely unsecure or does it have flaws? I'm thinking that if I am posting to the backend above not much will be exposed.
Any tips would be immensely helpful.
Is this approach extremely unsecure or does it have flaws?
This is not insecure, it's the normal way you would do it. One could add more security by adding a CSRF token, which would be validated on the server for any form submit.
And yes, you should send all the data over HTTPS, this will encrypt the payload.
What you are doing is normal for front-end JavaScript framework like Angular. As long as you use Https, you should be ok.
Only issue is how you will handle the subsequence page requests.
There are two ways to handle it –
Easiest way is to use ASP.Net MVC as login page, and use Cookie Owin Middleware. Since same cookie is sent back to server on API calls, you do not need to do any extra works. You can download my sample code at GitHub - OwinAuthenticationService.
Another way is to use Bearer Token in which you will have to send the same token back to server on every page request.
All method are insecure.
Especially without HTTPS.
But you can put the Authentications in the header of message and use a token generated with a key that only server know.
I've been searching for 2 days and I'm still not sure what I'm supposed to do.
What I currently have is an authentication flow which uses php to search a database to validate the correct userID and password from an user.
However I want to alter this authentication to use "Amazon Cognito User Pools", even though there is a PHP SDK this specific feature (still in beta) doesn't seem to exist for it yet. The examples and sdks that this can currently handle are Mobile (iOS, Android) and Web (JavaScript).
So I have to authenticate as if I was doing a web app (with JavaScript).
To do so I thought I had to replace the authentication php file in where it checks the database to use this JavaScript authentication instead.
As far as i know PHP files don't just execute JavaScript in the middle of a script, but instead they render it to the html result webpage, then the client browser can execute them instead. This would weaken the security and also is not what I want.
So my second idea was to make the PHP call a RESTful request to the same server but a different file. Then the file would be a JavaScript function which authenticates and does everything required and returns the result, then the php file would have the result and I can continue with the normal flow.
Now this seems very strange and kind of wrong, because for my server to use JavaScript files that consume RESTful requests it seems I need to install and run node.js as well.
Is this really the correct approach?
Actually you can implement your own wrapper for this because that kind of thing base on get request or post request on server side. If you have some library that can make post request and get request on PHP for example with curl, u can have a look on their authentication flow and implement your own. Flow link below.
Authentication Flow
I came to a security concern while doing $http.post requests that are received by the backend of my app. I can see all the data that is being sent using for example firebug in Firefox.
Are third parties able to sniff this data? It would be disastrous if someone sniffed the password when someone registers a new account.
Is there a way to secure my AngularJS front-end so that someone won't be able to steal the data in the POST request?
Any advice will be appreciated :)
No javascript can secure your password. Use SSL.
Or better yet, use services your user are already registered to like Google, Facebook or any openID/oAtuh provider so we don't need to go thought the annoying process of creating a new unique password verify the email :)
One of the ways to secure the data being set to/from the backend over HTTP/HTTPS is to not send them in plaintext. For example, it is possible to send md5 digests of login information in an ajax call – and authentication information like passwords etc. should also never be stored as plaintext in your database on the backend.
You might find this https://code.google.com/p/crypto-js/ interesting.
I'm currently planning to develop a HTML5 app. The basic concept is the following:
A user should be able to create a profile with username and password. The Server should be implemented in Ruby on Rails providing a JSONP Api (for Cross-Domain issues).
So the App will send Ajax requests to the Server and get responses from it.
My idea was now to transmit a session_key (generated by server) on the first response back to the client. Then the client has to authenticate himself with this token.
But now i have some issues.
How can i secure the first call of the client (when he is transmitting user and password)?
How can i protect the Session-key from beeing spyed out?
I am a complety noob in security aspects. Therefore it would be great if i could get some hints where to look at.
Secure your connection with SSL. This should require no changes in your code apart from putting 's' after 'http' ;-).
I used add a checksum to the ajax parameters (calculated using the submitted data), and then to crypt the hole ajax request into one string.
Somthing like sRequest=459fdjnfdw4r908vn....
sRequests holds my data (sUser=user&sPass=pass&iCheck=34564).
Edit: My client code was not public, compiled to an app.
Main target is to implement instant annonymous e-mail sending from web by client side script. Don't know if it`s event possible, but maybe you know some workarounds, or maybe some e-mail providers allow to send annonymous e-mails by posting data or have some API for that..
Found how to send mail to gmail by javascript, but problem is you need to have gmail account..
Thanks!
You could have a server-side script set up to watch for HTTP requests that contain a special key or API that would send an email based on hard-coded parameters, or parameters the request contain. On the client-side, you would just set up an AJAX request to call this server-side script. You could use Perl, PHP, Python, etc. to accomplish this.