I am writing an air application in which some keystrokes are sent that activate functions.
Now, since this means that the application shall not be iconized (otherwise the shortcuts would not work), I want to understand if it is possible to send commands (variables) using http query strings.
I have an external device that is capable to send the requests for example: http://localhost/?var=1.
I tried opening a socket but it receives 0 length data when I send something.
Any other suggestion is of course welcome.
Thank you
Related
I got a (Flask) backend powering an API that serves JSON to an Angular app.
I love the fact that my backend (algorithms, database) is totally disconnected from my frontend (design, UI) as it could literally run from two distinct servers. However since the view is entirely generated client side everyone can access the JSON data obviously. Say the application is a simple list of things (the things are stored in a JSON file).
In order to prevent direct access to my database through JSON in the browser console I found these options :
Encrypting the data (weak since the decrypting function will be freely visible in the javascript, but not so easy when dealing with minified files)
Instead of $http.get the whole database then filtering with angular, $http.get many times (as the user is scrolling a list for example) so that it is programmatically harder to crawl
I believe my options are still weak. How could I make it harder for a hacker to crawl the whole database ? Any ideas ?
As I understand this question - the user should be permitted to access all of the data via your UI, but you do not want them to access the API directly. As you have figured out, any data accessed by the client cannot be secured but we can make accessing it a little more of PITA.
One common way of doing this is to check the HTTP referer. When you make a call from the UI the server will be given the page the request is coming from. This is typically used to prevent people creating mashups that use your data without permission. As with all the HTTP request headers, you are relying on the caller to be truthful. This will not protect you from console hacking or someone writing a scraper in some other language. #see CSRF
Another idea is to embed a variable token in the html source that bootstraps your app. You can specify this as an angular constant or a global variable and include it in all of your $http requests. The token itself could be unique for each session or be a encrypted expiration date that only the server can process. However, this method is flawed as well as someone could parse the html source, get the code, and then make a request.
So really, you can make it harder for someone, but it is hardly foolproof.
If users should only be able to access some of the data, you can try something like firebase. It allows you to define rules for who can access what.
Security Considerations When designing web applications, consider
security threats from:
JSON vulnerability XSRF Both server and the client must cooperate in
order to eliminate these threats. Angular comes pre-configured with
strategies that address these issues, but for this to work backend
server cooperation is required.
JSON Vulnerability Protection A JSON vulnerability allows third party
website to turn your JSON resource URL into JSONP request under some
conditions. To counter this your server can prefix all JSON requests
with following string ")]}',\n". Angular will automatically strip the
prefix before processing it as JSON.
For example if your server needs to return:
['one','two'] which is vulnerable to attack, your server can return:
)]}', ['one','two'] Angular will strip the prefix, before processing
the JSON.
Cross Site Request Forgery (XSRF) Protection XSRF is a technique by
which an unauthorized site can gain your user's private data. Angular
provides a mechanism to counter XSRF. When performing XHR requests,
the $http service reads a token from a cookie (by default, XSRF-TOKEN)
and sets it as an HTTP header (X-XSRF-TOKEN). Since only JavaScript
that runs on your domain could read the cookie, your server can be
assured that the XHR came from JavaScript running on your domain. The
header will not be set for cross-domain requests.
To take advantage of this, your server needs to set a token in a
JavaScript readable session cookie called XSRF-TOKEN on the first HTTP
GET request. On subsequent XHR requests the server can verify that the
cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that
only JavaScript running on your domain could have sent the request.
The token must be unique for each user and must be verifiable by the
server (to prevent the JavaScript from making up its own tokens). We
recommend that the token is a digest of your site's authentication
cookie with a salt for added security.
The name of the headers can be specified using the xsrfHeaderName and
xsrfCookieName properties of either $httpProvider.defaults at
config-time, $http.defaults at run-time, or the per-request config
object.
Please Kindly refer the below link,
https://docs.angularjs.org/api/ng/service/$http
From AngularJS DOCs
JSON Vulnerability Protection
A JSON vulnerability allows third party website to turn your JSON resource URL into JSONP request under some conditions. To counter this your server can prefix all JSON requests with following string ")]}',\n". Angular will automatically strip the prefix before processing it as JSON.
There are other techniques like XSRF protection and Transformations which will further add security to your JSON communications. more on this can be found in AngularJS Docs https://docs.angularjs.org/api/ng/service/$http
You might want to consider using JSON Web Tokens for this. I'm not sure how to implement this in Flask but here is a decent example of how it can be done with a Nodejs backend. This example at least shows how you can implement it in Angularjs.
http://www.kdelemme.com/2014/03/09/authentication-with-angularjs-and-a-node-js-rest-api/
Update: JWT for Flask:
https://github.com/mattupstate/flask-jwt
I am using the URLLoader class to send data to a script that sends an email with that data; the URLLoader is also used to receive the return data on the status of the request. This email script is located on another domain (webscript.io, in this case; they host scripts written in LUA that can perform various functions when called). I don't want to have to get them to host a crossdomain.xml file, but when I visit the page to use the Flash app, I don't even get a security warning. Is that not the default action when there is cross-domain scripting in a Flash application without a crossdomain.xml file?
For your reference, here is the application: http://www.canadadocks.ca/build-dock-app/
The cross domain issues are specifically for data that your SWF is retrieving from other domains. So if you're sending data (via a HTTP POST/GET), then this is not a problem.
Also, unless you're using the debug player, you won't see the security exception that occurs.
There are also various things that will not trigger the exception: like downloading and displaying an image from another domain. However, if you then try to access the bitmap data of that image, you'll get the security exception (unless the crossdomain.xml permits it).
So it can depend on what you're retrieving and what you're doing w/the data you fetch.
If you're still curious, you should further explain what type of data you're retrieving and what you do with it. As usual, it's better to explain that with code than with words ;)
I am building an interactive web application with GWT, and I've come across a problem. The app is basically going to be a GUI for a database.
What I'd like to do:
Populate a MySQL server with data, and serve it via AJAX as a JSON file to my client side code.
The application life cycle should look like this:
Query on the client side -> Query the database -> serve up the requested information -> convert it to JSON -> Send back to client side via AJAX -> process on client side
I'd like to make this without refreshing the page, so the database querying should be ajax too.
If someone could point me to the right direction, I'd be really grateful. I've yet to find any good tutorials or examples to this type of problem.
Using GWT:
1° For Data-oriented app you will want to use GWT RequestFactory
2° If you want to stick to basic RPC here's what happens:
Fill up a form > Click on a button > make a call using RPC, passing a "shared" object as argument to your call > conversion from JSON to Java is handled by GWT > handle the request and make your query > convert the entity/DTO to a GWT "shared" object > your RPC controller returns the result > conversion to Java to JSON is handled by GWT > typically use a Celltable to display the result using a dataprovider, you won't need to reload the page.
If some parts of the process are unclear feel free to ask.
Don't use JSON unless there is some other reason you don't mention. A strong point of GWT is that you can use your entity code in your client side code so all of the client-server communication layer is hidden. Easiest way to do what you are asking:
Create #Entity annotated objects for each table
Create RPC service that exposes operations client needs
Implement database interactions with Objectify
Fetch your entities in GWT using RPC client
How can I interact with my running SPL application? E.g., if I want it to start or stop collecting certain stats, or if I want it to stop Export-ing certain properties?
In SPL, think about a stream whenever you need to send a message/data.
Create an input stream using a *Source operator (e.g., FileSource or UDPSource). When you want to interact with your running SPL application, send a message via that input source. The input stream operator will then send the message to a separate "parser" operator that can then act on the message.
I don't understand. I have searched all internet forums but found nothing helpful. I am trying to update the numberOfLikes field on my postsTable in MySql when the user clicks on the like button. I know this is done through ajax but I am only familiar with prototype ajax and none internet forums state anything about it.
Here's the flow chart
1. On "seeForums.php" user clicks on the "like" link.
2. The like link has an id that triggers the function which updates numberOfLikes on my postsTable.
Thats it. Thats all I need. But I need it in a prototype ajax format, something like this.
function processLikes()
{
new Ajax.Request(theUrl,
{
contentType:"text/HTML",
onSuccess:updateLikesMySql,
onFailure:error
onException:error,
});
}
Helps are appreciated :)
You can't do this with Javascript alone as it is client side only, you'll need to get a server side language (e.g. PHP) involved as well.
The idea is that you send an AJAX request to your PHP file along with the data that you want to update, and your PHP file will handle inserting values into the database. That PHP file would then print an output (e.g. success or failure) which would be received in your Javascript so you can act accordingly.
You should know that the nature of HTTP (web) makes it Request/Response like.
So your backend code runs on the server,
And javascript and all frontend code run on the client.
Client has no access to your database, So you can't do anything to your database with Javascript.
Best thing you can do is ask your serve with javascript to update the database,
Make a server-side script available at some URL,
Then use ajax to call that URL.
In the server-side script, do the code which updates the database.