The website that I'm creating an app for doesn't have an API, but I need to use it. I can get information easily from the website by parsing the HTML and processing the nodes, but I need to be able to input data as well. For instants, I need to "log in" with information the user has already entered into the settings. To do this in real life, I would click the username field and then the password field and then hit ok, but through code, I need to send it directly through POST.
Also, I need to be able to retain the session cookies.
How do I do this?
Related
Why we need to use #Html.AntiForgeryToken()?
I searched but I didn't get satisfactory answer.
This is a security feature to help protect your application against cross-site request forgery.
Example:
Let's assume you have a register functionality in your web app. You have an AccountController (example.com/account/register) where you expect people to submit their info. Normally before someone posts the registration information needs to visit the actual (example.com/account/register) than submit the form.
Let say I am a bad guy and I want to flood your server with junk info all I need to do is just keep posting directly to (example.com/account/register) without visiting your site. So in order to stop me you implement AntiForgeryToken so you can make it sure I visited the page before I submitted the registration information.
Another example is http://www.binaryintellect.net/articles/20e546b4-3ae9-416b-878e-5b12434fe7a6.aspx.
This is to prevent Cross-site request forgery in your MVC application. This is part of the OWASP Top 10 and it is vital in terms of web security. Using the #Html.AntiforgeryToken() method will generate a token per every request so then no one can forge a form post.
What is the use of #Html.AntiForgeryToken()?
Live - Scenario :
Suppose, you are logged into your bank account and are going to transfer some money to your friend. A hacker knows that you are logged in and also knows the URL of the money transfer submission. Suddenly, you get an email and check it. You see an image and by mistake, you click on that. Then, after a minute or so, you get another message that some amount has been deducted from your account. Actually, that image had been sent by the hacker and behind that image a URL has been submitted on your click.
So that we use AntiForgeryToken() in application prevent from hackers.
Antiforgery() is for stopping robotic fill up of any forms. Which will stop adding data without getting into the form
AntiForgeryToken is a security token generated by the .Net Core web application, which is used to validate a post request to guard against Cross-Site Request.
AntiforgeryToken used for validating the post request. So if we access an MVC or RazorPages view which contains the form element with an attribute 'method="post"' then the view gets rendered with an automatic generated AntiforgertyToken value, which gets injected into the form as hidden input field.
I have a controller action which returns a password protected zip file to the user when the click a link. The password is generated randomly.
If the download is successful, I'd like to then call another action method on the controller to get the password and display it on the screen. I'd be happy to do it all in one request but it doesn't feel possibly in a non horrible way.
I'm using this library to download the file jquery download library
I can't use tempdata or session state and hitting the database feels a little bit like using a hammer to crack a nut. I've thought about storing it in the response or a cookie but that feels a bit wrong too.
URL or hidden field should do (that is, they are both user-stored either as part of POST or GET request).
The question is, how can you return the password to the client and start the download at the same time. If there's no server storage you can't do it, since they are separate HTTP requests (unless you use cookie). I think this is the best way to do it:
Open your download page, and generate the password at that time,
so you can put it in hidden field (for successCallback of jquery
download library)
When calling your server to download the file,
pass the password as get or post to the download URL, and use this
password to compress
Once download finishes, you know what the
password was, so you can redirect to another page and show it.
Actually, since you already have it on the page, you can show it
right after download using javascript. Or maybe you can just show
the password right away, while download is still happening.
So, this is probably reversal of your architecture. And possibly this is not acceptable (you may want to generate secure passwords and guarantee users don't mess with them - that's possible if you pass the password in the download request). But that's the only way without server or cookie storage.
use
return RedirectToAction("Action", new { id = 99 });
There's a subset of users which will not have access to the system I'm implementing in the beginning but I need a mechanism for them to capture data for one specific part of the process.
An authorized user creates the original record for a Person with some basic details i.e. First name, last name etc.
I then create a 'DataRequest' record which has a unique guid and the external user is sent an email with a path which is effectively http://sampleapplication/Person/Complete?guid=xxxx
The external user adds additional details like Date of Birth, Eye colour etc, submits and saves to the DB. The DataRequest for that guid is then expired and cannot be accessed again.
The Complete action doesn't have any authorization as these external users do not have user accounts.
My preference is to force these users to use the system but at this stage I'm not sure it's practical.
Is this a bad practice?
Should I be implementing some additional security on this like a one time password / passcode contained in the email? Are there alternative approaches I should consider?
There's nothing wrong with opening up a section of your site to the public. Tons of websites have secured and unsecured sections. However, there's also nothing saying that you have to expose your secure site at all. You can create another site that merely has access to that change those records and make that site alone, public.
As far as securing the information of the user, passcodes by email are the invention of some developer somewhere with limited mental ability or a severe lack of sleep. If the link is only available by email (not discoverable by search engines and not easily guessable), then anyone with the link will also have the passcode, making the passcode to access the link redundant.
You should however log when the email is used to finish the record and then disallow further uses.
I have been trying to work out if I can have a login form on my static homepage. I would like to have some static pages and it would be great to have a login form on them. I spent some time getting more familiar with the authenticity_token that is generated with form_tag and although I realize we want to generally check all requests that aren't GET requests I feel like it might be possible to leave it out for a login because we aren't trusting the user with anything until after they are logged in. If a malicious site tried to use CSRF at this point it would need to know the login and password at which point the user is compromised anyway.
I definitely don't want to open up any security holes in my application and I appreciate all that rails does to keep this working, but in this situation am I right to think I can just submit a form without the token?
The purpose of the token is so that data cannot easily enter your system unless it is coming directly from that form. When a user visits the site, they get a cookie that matches the token in the form. When the form is submitted, those tokens must match.
If someone can submit the data from outside the form, you are opening up the potential for a script to make continuous login attempts. It's fairly easy to write something that would automate going to your site, getting a cookie and logging in using the form, but it's definitely more work. Think of it as another layer of security that you can have without negatively affecting your users.
I'm trying to login to a website (http://www.meo.pt/ver/Pages/login.aspx) from within my application so that I can access the program listing, etc, I searched in the page source code for the html for of the username textbox and password textbox input.
<input name="ctl00$SPWebPartManager1$g_cb264700_1517_426f_926d_3ca40934a6fd$ctl00$EditModePanel1$txtUserName"
type="text"
id="ctl00_SPWebPartManager1_g_cb264700_1517_426f_926d_3ca40934a6fd_ctl00_EditModePanel1_txtUserName"
class="forms_login" />
I used the value in name and set the content of that key with the username and the same form the password. Then made a POST request to http://www.meo.pt/ver/Pages/login.aspx from which I got a response containing the HTML source of the same page, so login wasn't successful. I don't think the server even considered it a login try.
My question is how should I set the POST request values to make this work?
I'm using ASIHTTPRequest for iPhone.
My guess is that it's cookie-related: the page sends a cookie when it appears and requires that cookie along with the username and password. Odds are good that every POST and GET returns a cookie along with the page content, a cookie you'll need to send back.
If you use ASIHTTPRequest to perform the requests and use the same instance of the object to make subsequent requests, it will take care of sending those revised cookies each time. I love this library and recommend it.
http://allseeing-i.com/ASIHTTPRequest/
If instead you're using an NSURLConnection and prefer to manage the cookies yourself, the NSHTTPCookie object will help.