Icon View Thread

The following is the text of the current message along with any replies.
Messages 11 to 20 of 25 total
Thread Obfuscate JS output
Wed, Jul 12 2017 8:40 AMPermanent Link

Raul

Team Elevate Team Elevate

On 7/12/2017 7:25 AM, Big Al wrote:
> Is there any way for EWB to encrypt a string?

Sure.

How would you prevent one from just stepping thru the debugger in the
chrome and seeing what you are doing ?

And how would you "hide" the encryption password? Anything embedded in
javascript is easy to find and if you send it from server i can just
replay that.

Raul
Wed, Jul 12 2017 8:48 AMPermanent Link

Raul

Team Elevate Team Elevate

On 7/12/2017 5:30 AM, Big Al wrote:
> You're right, so I'm going to have to find a better way to keep my web service secure.
> I looked at OAuth a bit, but don't understand enough of it to be able to figure out how to make it work with my web service and ewb.

There is nothing wrong using username/password that user has to enter
and app then uses during the session.

Web service simply has to authenticate every request and not returns
anything for unauthenticated users.

This and running over TLS is totally adequate for many projects.

You can definitely take this further and either create your own session
token model or move to something like OAuth2 or OpenID but complexity
will increase with these implementations so decide if you really need it
first

Raul
Wed, Jul 12 2017 11:10 AMPermanent Link

Matthew Jones

Big Al wrote:

> keep my web service secure.

Secure from what?

--

Matthew Jones
Wed, Jul 12 2017 2:01 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

<< Has anyone looked into any way to obfuscate the JS output? >>

As mentioned already, EWB already obfuscates the JS if you turn on compression in the compiler.

<< I was wondering if any of the obfuscating tools out on the internet work to make it much harder for anyone to understand what the js file is actually doing? >>

Don't rely on this to protect anything.  A determined hacker/developer can *always* figure out what your application is doing.  Even .exes aren't secure if the hacker has direct access to them and can run them, so JS obfuscation is definitely not going to do the job.

Again, don't put *anything* related to security in your EWB code (no back-doors or special passwords), but *do* use https and authentication on every web service request to ensure that your web service can protect itself from malicious use/access.

EWB will have more to offer in this area once I get the back-end coding/execution layer completed for the EWB Web Server.

Tim Young
Elevate Software
www.elevatesoft.com
Wed, Jul 12 2017 3:18 PMPermanent Link

Big Al

>>Tim Young [Elevate Software] wrote:


>>*do* use https and authentication on every web service request to ensure that your web service can protect itself from
>>malicious use/access.

I would love to use authentication on every web service request just trying to figure out how to do that reliably and securely.

I'll do more research.

Big Al
Wed, Jul 12 2017 3:55 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com


<< I would love to use authentication on every web service request just trying to figure out how to do that reliably and securely. >>

Are you using the EWB Web Server or something else ?

Tim Young
Elevate Software
www.elevatesoft.com
Wed, Jul 12 2017 7:15 PMPermanent Link

Big Al

Tim Young [Elevate Software] wrote:
>>



>>Are you using the EWB Web Server or something else ?

I am using something else at this point, but the most important thing is to get it working so I am open to whatever I need to use.

Bif Al
Wed, Jul 12 2017 7:19 PMPermanent Link

Big Al

"Matthew Jones" wrote:
>>
Big Al wrote:

> keep my web service secure.

Secure from what?

Matt, didn't mean to ignore your question.

My web service is being used to select, update, delete and insert data from my database.

I need it to be secure so only my app under app control can update the database.

Big Al
Wed, Jul 12 2017 7:28 PMPermanent Link

Raul

Team Elevate Team Elevate

On 7/12/2017 3:18 PM, Big Al wrote:
> I would love to use authentication on every web service request just trying to figure out how to do that reliably and securely.

At the very basic level :

This is driven by both app design and service design.

Web service should look for credentials included with every request and
only if those are present and can be authenticated return data (and
limit data to what that user can see - but that would be up to your db
queries etc now)

From app side you need to ask user to authenticate whenever they start
the app and then you can cache those credentials for the session.

Include credentials with every request (either as url params or headers
- your web service needs to extract it from same ).

If your centralize your web requests into global class then including
this is pretty easy (store them globally and every time you execute new
request just include).

How you decide to implement auth details is really up to you - use
username/password every time or startup use username/password and then
get a sessionid from service that you can then ise as url param.

That's pretty much it

Raul
Wed, Jul 12 2017 8:02 PMPermanent Link

Big Al

>>Raul wrote:

>>Web service should look for credentials included with every request and
>>only if those are present and can be authenticated return data (and
>>limit data to what that user can see - but that would be up to your db
>>queries etc now)

Totally agree

>> From app side you need to ask user to authenticate whenever they start
>>the app and then you can cache those credentials for the session.

Ok, let's say my app now has the username and password based on what the user entered.

>>Include credentials with every request (either as url params or headers
>>- your web service needs to extract it from same ).

That's the part I'm missing.... If I pass the username/password on the URL, then a person could see it, though they would only see their own since that's the only way I believe they would have a valid username/password.
But that exactly url could be saved and used at a later time again?? Maybe there is some way I could stop that from happening. If the URL was used to insert or update data, then running it again would insert or update data.
Maybe I'm just not thinking it thru but that seems like that might be an issue.

>>If your centralize your web requests into global class then including
>>this is pretty easy (store them globally and every time you execute new
>>request just include).

I don't understand how to do that yet, but I understand what you're saying and will eventually make that happen

>>How you decide to implement auth details is really up to you - use
>>username/password every time or startup use username/password and then
>>get a sessionid from service that you can then ise as url param.
If I got a session ID, I don't really have sessioning on the web service side, but could implement something like that without too much trouble. Again, if someone grabs the URL , could they update data later if it's soon so the same session might be active?


Thanks for your explanation. I still have questions, but we'll see what can be done.\

Big Al
« Previous PagePage 2 of 3Next Page »
Jump to Page:  1 2 3
Image