Prevent multi upload with users |
Hi
In my app,user can upload file to server with username and password There are no any problem for upload or authentication Big problem is If user have username and password,can upload file with php script Example Post: username=user&password=1234 and contain file form If hacker execute this url in php script,can upload file to server How do i can prevent upload file only with app Thanks (07-18-2018, 08:39 AM)omid_student Wrote: Post: username=user&password=1234 and contain file form Are username and password on the URL - www.mydomain.com/upload/?username=user&password=1234 Or you mean when user makes a POST request, effectively they are posting their username and password at the same time as the file?
(07-18-2018, 11:16 AM)Pertti Wrote:Yes make a POST request(07-18-2018, 08:39 AM)omid_student Wrote: Post: username=user&password=1234 and contain file form However i encrypt data with AES but we assume it is not encryption
Got it.
So you are worried that if hacker knows endpoint URL, username and password, they can just keep uploading? CodeIgniter CSRF protection might help, it won't stop them posting data at your server, which could become DDoS issue on it's own, but it will help you to filter out valid requests and ignore the rest.
(07-18-2018, 11:51 AM)Pertti Wrote: Got it. No my problem is not file type or content My problem is only upload file from app and prevent upload file with username and password with restful tools or php I try prevent with useragent or api key special for mobile but it is not necessary (07-18-2018, 12:12 PM)omid_student Wrote: No my problem is not file type or content CSRF is not for file type, it's for making sure the incoming requests originate from server in the first place. There's more stuff on it here: https://www.owasp.org/index.php/Cross-Si...heat_Sheet
(07-18-2018, 12:39 PM)Pertti Wrote:(07-18-2018, 12:12 PM)omid_student Wrote: No my problem is not file type or content Yes i know but it is good in web When user open forms,during open form,we add token into form body and codeigniter check it when we post it But in application there is no form and i have to get token before upload file that i think it is bad,isn't it?
(07-18-2018, 12:39 PM)Pertti Wrote:(07-18-2018, 12:12 PM)omid_student Wrote: No my problem is not file type or content Finally i deiced to generate token and get it from app and send it for each request and check it in server I save token in session for 7200s and use JWT for token |
Welcome Guest, Not a member yet? Register Sign In |