0

I have a web application that makes file conversion. I've checked usage statistics today and I realized 20-30 files uploaded and converted every second from the same ip. I checked the browser's header info (I wrote every request's http header info to my database) and found this:

Mozilla/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko)

I think someone is using my web service in an iOS application for converting files. How can I know which application is this or how can I stop this?

onivi
  • 1,348
  • 3
  • 17
  • 25
  • 1
    Without knowing how your web service is supposed to be used, here are a couple of suggestions: block the IP address (probably won't work for long); add an API key to your legitimate requests; implement a proper login id & password; limit successive requests from the same IP (first five, immediate, next five wait 10 seconds...) –  Oct 20 '13 at 23:46
  • It's interesting that an IOS app is always connecting with the same IP. – emreoktem Oct 20 '13 at 23:49
  • there is only an upload form.. that's it.. but it is not a public servic, only my customers can access it.. this means someone login via UIWebView to application and using my webservice.. – onivi Oct 20 '13 at 23:49
  • @emreoktem there are a lot of requests from different ips. – onivi Oct 20 '13 at 23:51
  • 1
    It may be a stupid suggestion but, If you've shared the URL of the service only with your customers, may it help to check location of some connected IPs by using a tool like ip2location? It may give an idea about which customer, etc... – emreoktem Oct 20 '13 at 23:54
  • @emreoktem wow, it is not a stupid suggestion.. thank you for advice.. I will try this.. but I also want to stop someone using my webservice via a bot or application.. I guess the best method is using captcha.. – onivi Oct 20 '13 at 23:59

1 Answers1

0

If it's your own form, you may use a captcha but this may create problems if you or any of your allowed customers want to use it by using a an application instead of using web view. (I'm not sure if you have such a case). My basic solution would be adding basic authentication to the page on web server level (IIS, etc...)...

emreoktem
  • 2,409
  • 20
  • 36