New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not exposing any routes to an attacker, but still accessible by javascript #166

Open
mikebaldry opened this Issue Sep 24, 2015 · 4 comments

Comments

Projects
None yet
5 participants
@mikebaldry

mikebaldry commented Sep 24, 2015

It'd be cool to store the routes with the key being hashed, then the value being encrypted with the original key. This way nothing would be gained by looking at the routes, only when you made use of a route would it expose it (and if you're using an admin_deploy_nukes_path, you'll have probably authenticated them already)

example:

routeMap = {
 "<sha1 of admin_deploy_nukes_path>": "<AES encrypted path, with the key admin_deploy_nukes_path>"
}

findRoute = (routeName) ->
  hashedRouteName = SHA1(routeName)
  AES.decrypt(routeMap[hashedRouteName], routeName) #assuming (data, key)

Of course this would require 2 extra libraries but I guess they're pretty small and the amount of data being encrypted/hashed would be small, so pretty quick.

Maybe overkill but might be a nice option?

@le0pard

This comment has been minimized.

Show comment
Hide comment
@le0pard

le0pard Sep 24, 2015

Member

You can remove unneeded routes by config, if it is so scary to show it is in JS.

Member

le0pard commented Sep 24, 2015

You can remove unneeded routes by config, if it is so scary to show it is in JS.

@bogdan

This comment has been minimized.

Show comment
Hide comment
@bogdan

bogdan Sep 24, 2015

Collaborator

That looks interesting as an idea. I don't see a way of implementing that without changing an API as you call a route like this:

Routes.user_path(1)
// but not like
Routes.run(:user_path, 1)

This is kind a big deal and I don't think that a lot of people will want it even if they are seriously security-concerned.

It could be done in ruby without changing an API with method missing that is not available on JS.
Let's think of a way to do it without API change or other concerns.

Collaborator

bogdan commented Sep 24, 2015

That looks interesting as an idea. I don't see a way of implementing that without changing an API as you call a route like this:

Routes.user_path(1)
// but not like
Routes.run(:user_path, 1)

This is kind a big deal and I don't think that a lot of people will want it even if they are seriously security-concerned.

It could be done in ruby without changing an API with method missing that is not available on JS.
Let's think of a way to do it without API change or other concerns.

@kriansa

This comment has been minimized.

Show comment
Hide comment
@kriansa

kriansa May 23, 2016

I don't think it'd add any security to your app at all, since your routes would still be exposed anyway. Not only that, but decrypting this file wouldn't be difficult at all, since your legitimate client already do so:

findRoute('admin_deploy_nukes_path')

Honestly, I don't see any benefits on it.

kriansa commented May 23, 2016

I don't think it'd add any security to your app at all, since your routes would still be exposed anyway. Not only that, but decrypting this file wouldn't be difficult at all, since your legitimate client already do so:

findRoute('admin_deploy_nukes_path')

Honestly, I don't see any benefits on it.

@thomasbiddle

This comment has been minimized.

Show comment
Hide comment
@thomasbiddle

thomasbiddle Nov 30, 2016

While interesting; security by obfuscation isn't security.

thomasbiddle commented Nov 30, 2016

While interesting; security by obfuscation isn't security.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment