+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Prevent multi upload with users (/showthread.php?tid=71200)
Prevent multi upload with users - omid_student - 07-18-2018
Hi
In my app,user can upload file to server with username and password
There are no any problem for upload or authentication
Big problem is
If user have username and password,can upload file with php script
Example
Post: username=user&password=1234 and contain file form
If hacker execute this url in php script,can upload file to server
How do i can prevent upload file only with app
Thanks
RE: Prevent multi upload with users - Pertti - 07-18-2018
(07-18-2018, 08:39 AM)omid_student Wrote: Post: username=user&password=1234 and contain file form
Are username and password on the URL - www.mydomain.com/upload/?username=user&password=1234
Or you mean when user makes a POST request, effectively they are posting their username and password at the same time as the file?
RE: Prevent multi upload with users - omid_student - 07-18-2018
(07-18-2018, 11:16 AM)Pertti Wrote:Yes make a POST request(07-18-2018, 08:39 AM)omid_student Wrote: Post: username=user&password=1234 and contain file form
Are username and password on the URL - www.mydomain.com/upload/?username=user&password=1234
Or you mean when user makes a POST request, effectively they are posting their username and password at the same time as the file?
However i encrypt data with AES but we assume it is not encryption
RE: Prevent multi upload with users - Pertti - 07-18-2018
Got it.
So you are worried that if hacker knows endpoint URL, username and password, they can just keep uploading?
CodeIgniter CSRF protection might help, it won't stop them posting data at your server, which could become DDoS issue on it's own, but it will help you to filter out valid requests and ignore the rest.
RE: Prevent multi upload with users - omid_student - 07-18-2018
(07-18-2018, 11:51 AM)Pertti Wrote: Got it.
So you are worried that if hacker knows endpoint URL, username and password, they can just keep uploading?
CodeIgniter CSRF protection might help, it won't stop them posting data at your server, which could become DDoS issue on it's own, but it will help you to filter out valid requests and ignore the rest.
No my problem is not file type or content
My problem is only upload file from app and prevent upload file with username and password with restful tools or php
I try prevent with useragent or api key special for mobile but it is not necessary
RE: Prevent multi upload with users - Pertti - 07-18-2018
(07-18-2018, 12:12 PM)omid_student Wrote: No my problem is not file type or content
My problem is only upload file from app and prevent upload file with username and password with restful tools or php
I try prevent with useragent or api key special for mobile but it is not necessary
CSRF is not for file type, it's for making sure the incoming requests originate from server in the first place.
There's more stuff on it here:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
RE: Prevent multi upload with users - omid_student - 07-18-2018
(07-18-2018, 12:39 PM)Pertti Wrote:(07-18-2018, 12:12 PM)omid_student Wrote: No my problem is not file type or content
My problem is only upload file from app and prevent upload file with username and password with restful tools or php
I try prevent with useragent or api key special for mobile but it is not necessary
CSRF is not for file type, it's for making sure the incoming requests originate from server in the first place.
There's more stuff on it here:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Yes i know but it is good in web
When user open forms,during open form,we add token into form body and codeigniter check it when we post it
But in application there is no form and i have to get token before upload file that i think it is bad,isn't it?
RE: Prevent multi upload with users - omid_student - 07-18-2018
(07-18-2018, 12:39 PM)Pertti Wrote:(07-18-2018, 12:12 PM)omid_student Wrote: No my problem is not file type or content
My problem is only upload file from app and prevent upload file with username and password with restful tools or php
I try prevent with useragent or api key special for mobile but it is not necessary
CSRF is not for file type, it's for making sure the incoming requests originate from server in the first place.
There's more stuff on it here:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Finally i deiced to generate token and get it from app and send it for each request and check it in server
I save token in session for 7200s and use JWT for token