whenever, i request to server using jQuery-ajax for retrieve data that is shows in firebug so that is unsafe or hackable.
even facebook and google+ hide their json data, but how?
You could use a library like crypto-js to encrypt all data that is sent to and from the server. However, most of the time, that is an overkill when you already use https (since you should make your application hack resistant via server side validation and safety is ensured by the real encryption offered by https).
Related
I have stored a video file in BLOB storage. I need to stream this video but, I do not want users to go into developer mode and copy/paste URL on a browser so they can download it.
I have tried many ways to control this but I have failed. I used SAS token with an expiry, but, users are still able to download the content within that expiry period.
My latest approach is to hide the SAS Token enabled video URL behind Azure API Management Service. This will give me a different URL (which is not the BLOB storage URL) which I will expose on the HTML page. Will this approach work ?
NO, we cannot hide the backend information in a Web. You can’t hide anything that your app running on a clients Browser. Instead of that you can secure your backend service.
There are some alternate ways to do that, but we don’t hide anything on a web.
1. Mask URLs in content
The redirect-content-urls policy re-writes (masks) links in the response body so that they point to the equivalent link via the gateway. Use in the outbound section to re-write response body links to make them point to the gateway. Use in the inbound section for an opposite effect.
<redirect-content-urls />
Refer for Mask URLs in content
2. Set backend service
Use the set-backend-service policy to redirect an incoming request to a different backend than the one specified in the API settings for that operation. This policy changes the backend service base URL of the incoming request to the one specified in the policy.
<set-backend-service base-url="base URL of the backend service" />
Or
<set-backend-service backend-id="identifier of the backend entity specifying base URL of the backend service" />
Refer Set backend service
Other wise you can encrypt your video data to secure a backend
To know the possible ways see here
If a client has a valid SAS can access your storage account that was permitted by the SAS. It’s important to protect a SAS from malicious or unintended use. For that use discretion in distributing a SAS, and have a plan in place for revoking a compromised SAS.
Refer: SAS for blob
I am trying to get started with REST API calls by seeing how to format the API calls using a browser. Most examples I have found online use SDKs or just return all fields for a request.
For example, I am trying to use the Soundcloud API to view track information.
To start, I've made a simple request in the browser as follows http://api.soundcloud.com/tracks/13158665.json?client_id=31a9f4a3314c219bd5c79393a8a569ec which returns a bunch of info about the track in JSON format
(e.g. {"kind":"track","id":13158665,"created_at":"2011/04/06 15:37:43 ...})
Is it possible to only to get returned the "created_at" value using the browser? I apologize if this question is basic, but I don't know what keywords to search online. Links to basic guides would be nice, although I would prefer to stay out of using a specific SDK for the time being.
In fact, it's really hard to answer such question since it depends on the Web APIs. I mean if the API supports to return only a subset of fields, you could but if not, you will receive all the content. From what I saw on the documentation, it's not possible. The filters only allow you to get a subset of elements and not control the list of returned fields within elements.
Notice that you have a great application to execute HTTP requests (and also REST) in Chrome: Postman. This allows to execute all HTTP methods and not only GET ones and controls the headers and sent content and also see what is received back.
If you use Firefox, Firebug provides a similar thing.
To finish, you could have a look at this link to find out hints about the way Web APIs work and are designed: https://templth.wordpress.com/2014/12/15/designing-a-web-api/.
Hope it helps you and I answered you question,
Thierry
Straight from the browser bar you can utilize REST endpoints that respond to a GET message. That is what you are doing when you hit that URI, you are sending an HTTP GET message to that server and it is sending back a JSON.
You are not always guaranteed a JSON, or anything when hitting a known REST endpoint. What each endpoint returns when hit with a GET is specific to how it was built. In that case, it is built to return a JSON, but some may return an HTML page. In my personal experience, most endpoints that utilize JSON returns expect you to process that object in a computer fashion and don't give you a lot of options to get a specific field of the JSON. Here is a good link on how to process JSON utilizing JavaScript.
You can utilize REST clients (such as the Advanced REST Client for Chrome) to craft HTTP POST and PUT if a specific REST endpoint has the functionality built in to receive data and do something with it. For example, a lot of wiki style REST endpoints will allow you to create a page with a specifically crafted HTTP POST with either specific header information, URI parameters or a JSON as part of it.
you can install DHC client app in your chrome and send request like put or get
To create a chart, I found that Bloomberg is providing data in JSON format. Please have a look at this URL: http://www.bloomberg.com/markets/chart/data/1Y/IBM:US This sends data of the chart in JSON format. I want to get this data in an Ajax request, so that I can parse it and create a chart. But I can't use Ajax, as this is a cross domain affair. I need to use JSONP. I am not sure how Bloomberg API supports JSOP. If you know how can we use JSONP with the above url, please let me know. If there is any alternative, please let me know.
You can't. JSONP requires that the server be on board with the transaction so that it can properly handle the callback injection. If the server isn't providing it, there's no way to force it unilaterally.
What you might be able to do, subject to your hosting provider's policies, is have your server-side script load the Bloomberg data, then pass it on from there, either printed in the initial page or as a JSON/JSONP call to your own server (which is probably a better idea, as it leaves you more flexibility to update the data on the fly and also allows the page's markup to be cached).
Note that some hosting providers do not allow outgoing requests because they don't want their servers to be used as proxies (which is, after all, basically what I'm suggesting you do). You may have an option to whitelist Bloomberg, or you may just need to keep outgoing traffic to a minimum (i.e. cache the Bloomberg data on your server so that you're not refreshing it every time someone loads your page). Check your hosting terms.
I want to set up a project page on GitHub, so that it acts as a live site.
The site would require an API sid & token (both just long strings of text) that, in a self-hosted environment, the user would just add to the config file.
If I host this through GitHub project pages, users will supply their sid/token through a form. The page with the form will need to be served over SSL so that the sid/token aren't transferred as cleartext. The problem is that GitHub project pages don't allow SSL.
So, if I can find another secure way to take input through a form aside from using SSL, then I can host this whole thing a hosted service through GitHub project pages.
The project would be open source, so I don't expect any sort of encoding/hashing scheme to work, since the methods would be public.
The sid/token are being used in curl calls to an API which is sent over SSL. Perhaps there's a way to direct the form input directly to that SSL URL instead of having it go through the non-SSL GitHub project page...
Any ideas?
You can just give the action attribute of the form the HTTPS URL of the target script, if that's possible.
You could also use some kind of Challenge-Response encryption/hashing scheme using Javascript. The algorithm for that would be something like this:
Server generates unique, random token, saves it and sends it to the client along with the form HTML.
On the client side, Javascript intercepts the form submission and hashes the sensitive form data with the server-generated token as a salt.
Server can now check whether the hash is equal to its own calculated hash value
HOWEVER
A man-in-the-middle attacker with the ability to modify traffic (for example through ARP poisening, DHCP or DNS spoofing) could always strip all your client-side protection mechanisms from the served HTML. Have a look at SSLStrip for a tool to rewrite HTTPS URLs to unsecure HTTP URLs on the fly. The challenge-response could be defeated something like this:
Save token sent by the server, remove the Javascript from the HTML form.
As the form submission is not intercepted now, we get the raw input data.
Hash the data using the same algorithm that the Javascript would have performed.
Thank you for all the fish.
You see, an intercepting attacker can probably defeat any defense mechanism you try to make up.
i know very well that android not support the mysql
but i need to connect mysql and get the information from database
i studied there are SOAP and REST services to connect mysql from android
is it possible?then give me one idea and if possible one example pls
i need to connect mysql and get the
information from database
You can get the data from the database with or without connecting to it. You can get it with or without SOAP. An agent on the server, usually a CGI sript makes the database request on the client's behalf. In SOAP, the the query and response are often encoded in XML, and always transmitted by standard Internet methods such as HTTP or SMTP.
Non SOAP methods include CORBA, simple RPC, and home-grown solutions. If the database is open to the Internet, then a direct connection to the database port on the server is possible.
It's only the security restrictions that limit what you can do. In an environment where only mail, HTTP and FTP are possible, SOAP is a good protocol. If the client is actually a web browser, then AJAX is ideal.
For a typical data request, all you need to know is the URL (and associated protocol) on the server to query for the data. For example, using HTTP:
http://dataserer.example.com/chart_data.cgi?chart_num=2
The server-side script, chart_data.cgi reads the query (from a GET request in this case), retrieves the information from the database and sends it, encoded in XML, back to the client, simply by writing the HTTTP header and XML content to standard output. It is Javascript and a browser protocol XMLHttpRequest that make the HTML request and XML receipt possible.
So even in Android, when you browse the web and see all that information, on Amazon for example. A lot of that information is retrieved by agents at Amazon from their database, formatted for the client(the browser on Android) and sent back to the client. No Android-specific coding is required.
Use a custom remote agent such as a CGI script on a server to access a remote database. Android only needs to communicate with the agent.
Write a SOAP server using the language of your choice:
Google: Soap Server
Call it from Android:
How to call web service with Android
Of course, you don't have to do it in SOAP. You can just output the data from your web service in any format like JSON, plain text, XML, CSV, (or even HTML?) ... and consume it from Android.