Using javascript, I generate the number I send to the server, is it possible to somehow avoid the fact that a person can send a request using curl (send another number). That is, I want the number to be exactly the one that is generated using javascript! Are there any solutions?

  • On the client, you need some kind of secret word (password) that you can use to sign (or encrypt) your number and check it on the server. - Vladimir Gamalyan
  • @VladimirGamalian so the client can look at this secret word in the browser through developer mode for example and send it also in the place with the number .. - bsbak
  • And, well, if the client is not your confidant, then there are no options. Is that something obfustsirovat, but for the time being. - Vladimir Gamalyan 2:51 pm
  • @VladimirGamalian obfuscation is also not an option, that is, in any way? gut - bsbak
  • one
    If the number depends only on the actions of the client, then there is no way at all, since you first of all entrusted him with the generation of this number. - D-side

3 answers 3

Any data that the client side creates, stores and sends (in this case, a bauser) can be sent to the server using Curl. You can apply dynamic variable names for data, csrf protection, obfuscation of the code that sends the data and generates it, but there are no solutions that will ensure that 100% of the expected data is received from the client side. Any equipment may be de-busted, any security or encryption algorithm can be solved.

The applied methods will work only if the time spent and the level of knowledge of the attacker are comparable to the value of the data obtained or the damage caused as a result of sending data other than expected.

Try to rethink the task and run it on the server side, for example.

  • For specific offers of protection, tell us more about the task being performed. - ilyaplot
  • As an example: let's say a person enters text from the keyboard within 1 minute, received a number - input speed. How to solve this problem on the server side? =) - bsbak
  • On a keyDown, send an ajax request and count the number of clicks per second on the server side. Either generally use websocket and send keystrokes directly to the server - ilyaplot
  • one
    A person using curl will simply send requests (as if a person pressed keyDown) and that’s all, your decision failed ... - bsbak
  • The task initially has no solution in this form. - ilyaplot

It is useless to defend. If we want to parse a site, then we arrive at Stack Overflow in Russian, ask an illiterate question. How to parse from the website Zagalovok, Picture, content? The plague is better to use which one is the fastest? ... and we immediately get a bunch of answers from the greedy to the turnip welders.

So the solution here is only one thing - the good old captcha, and one that the person doesn’t know right the first time. Again, all thanks to the well-wishers who happily help shkolote.

  • Here, it seems, clavogones invent, not protect content. - ilyaplot
  • one
    @ilyaplot You wanted an example, I gave it to you, and here clavagonki? Or you cannot be confronted with the fact that you did not find a solution and now curb ... - bsbak
  • @ user3737786 do not touch him, he is not adequate)) runs through the articles and is clever - ikerya
  • @ user3737786 However, my answer is still leading in terms of user ratings. I do not mind the lack of a solution to the current issue. And clavogonki is a project in which, most likely, some kind of protection is implemented. I recommend to see how. - ilyaplot
  1. a simple way to generate a random numeric value that you write in a session you give to the front. After that, we get the amount we get to this number and send the amount by Ajax, we check the amount on the server. If the difference is roughly to be in the not expected range. Easy way and just bypass.
  2. A one-time alphabetic key (generated on the server) + a shivirovaniya method (for example, letters in the key mean offset, and if you add this offset to a number, you will get another offset that is transported again into an alphanumeric code) after the hash is sent to the backend where the cache is decoded in reverse. More reliable and in principle a simple way.
  3. scrf along with the number send the key along with the number.
  4. Another simple way to send a time stamp along with a number, if the difference in the time of sending does not fit into a certain period of time, then by its beard.
  • I am grateful for the answer, but all this is not rolling and is easily forged ... - bsbak